Hello I’m Mostafa Elguerdawi, This Write-up about one of my recent reports I will explain how I find it from zero, So Let’s start.
First let’s say my target was redacted.com
Find sub-domain from Shodan
I decided to get my target favicon hash in order to find more sub-domains through shodan
First I wen to https://redacted.com/favicon.ico and checked from the favicon.
Then I got favicon hash using this python code :
url = input("Enter URL >> ")
response = requests.get(url)
favicon = codecs.encode(response.content,"base64")
hash = mmh3.hash(favicon)
Last I went to shodan and submit this query : http.favicon.hash:<favicon-hash>
I found some new subdomains, After some testing I found one that appears to be admin panel.
Login with default credentials
I tried some default credentials but one is worked admin:admin
After success login I didn’t find any important data or any thing can cause critical impact.
I decided to check Burp Suite history requests, and I found interesting one
I sent it to Repeater
I played around a bit with this endpoint until I got to know all the users on the site by change endpoint from /api/v1/users/admin into /api/v1/users/ only!
BFLA: Broken Function Level Authorization
So what is BFLA?
BFLA is a common issue that’s found though is Broken Function Level Authorization (BFLA), and this sits at the OWASP API Top 10 2023 Candidate list in position number 5. Let’s take a closer look at this vulnerability.
BFLA allows unauthorized users to access functionality in API endpoints that should be restricted. The payloads used during these attacks often look completely legitimate and pass-through controls such as Web Application Firewalls.
Normal request :
Next I tried BFLA to delete another user that I don’t have access to it.
All I did change GET /api/v1/users/user into DELETE /api/v1/users/user
Yes I only changed the Request Method from GET to DELETE.
Back to GET /api/v1/users/user
And I have successfully deleted the user