Logical Bug which let me stop Users from Creating Ads at a Website

  Logical Bugs   May 17, 2020   0   736  Add to Reading List

I have found a vulnerability on a website. Using that bug I could stop users posting ads on that website. The impact of the bug is technically low but having high business impacts.

Logical Bug which let me stop Users from Creating Ads at a Website

About the Web Application

      The web application having many features, Any users can buy old used cars and any users can sell their old cars at this site. This site has forums so any user can post articles about cars and anyone can comment or like other's posts. To sell a car a user needs to post an ad at that site. To post an ad he needs to pay some amount to the site. After payment moderators approve his ad. After approval, everyone at the site can see his ad.
This is a private bug bounty program, I can't mention the site URL here. So assume the site URL as Site.xyz

What is the Type of Vulnerability?

   The type of bug is a logical flaw. If an attacker can use or manipulate harmfully the working flow or the data flow of an application, It is called a logical flaw. I found this bug at the ad creating feature.

Working Flow of the Feature

   As I told, I found the bug at the ad creating feature. To completely create an ad, a user should complete 5 steps. The bug present between 1st and 2nd steps.

1st step:

  • A user needs to enter the details of his car.
2nd  Step:
  •  Fillup his contact details
After submitting 1st step the following request sent to the server.

POST Request 
Here, you can see the value of  PostModel.AdvertId parameter is set 0. So we can assume that ad id is not allocated for any ads at 1st step.
I sent the request to the repeater and submitted, I got the following 302 response.

Response


The 302 redirection URL looks like : site.xyz/advert/details?advertid=4251070&sh=user. At this URL AdvertId is present. So I could understand the working flow. After submitting the 1st step, the Server allocates a specific id to the ad. And send 302 response to redirect to continue step 2.
Working Flow


My play with the Logic

I created two accounts and opened on different browsers. I tried to create an ad. I submitted the 1st step on the 1st browser through burp. I got a 302 response. I just copied the redirection URL and opened on the 2nd browser. It works, I could fillup the 2nd step on the 2nd browser.
Then, I tried to access the same URL on the 1st browser, But I got the 403 unauthorized error. 
So the logic is, the server sends a 302 response after submitting 1st step. That 302 redirection URL contains adverId. After we open that URL for the first time, The server determines the owner of the ad. 
The server does not check the same user submits 1st step and the 302 redirection URL or not. So any user who sends the 302 redirection URL at first to the server, he is the owner of the ad. No one can access the ad after sending the URL for the first time.


But it was just a theory. In practice, after submitting the 1st step, the user receives a 302 Redirection URL. The URL contains AdvertId, no one can know neither AdvertId nor Redirection URL except the owner.
So I focused on  AdvertId, If we could guess the id, we can do some try.

How I Made it Works? 

I created 2 ads and I found that the site uses increment function to determine id for an ad. If id of the 1st ad is 1000, the id of the 2nd ad will be 1001. For every ad, 1 is added with id. 
So I created a dummy ad, I found the id of my ad was 4251070, So I know the id of the next ad will be 4251071. I send my request from the attacker account to the intruder I changed the id to  4251071 at URL. I set payload type as null payloads and set payload options as continue indefinitely. I started the attack with 100 threads. So the specific request sent continuously with 100 threads until I stopped.
At this time URL site.xyz/advert/details?advertid=4251071&sh=user wascontinuously sent to server with 100 threads
After starting the attack initially I got a 404 response because at that time there was no id at the value of 4251071. Then, from another account, I started to create an ad, after Finishing the 1st step, the server allocated 4251071 as the id of my ad and sent 302 response to my browser.

At this time browser sent  URL site.xyz/advert/details?advertid=4251071&sh=user to the server but before it sent, intruder sent this request to the server because of it continuously sending the same request with 100 threads.

So success ratio to the attacker and user is 100:1, So there are 100 times the chances to be received the attacker's request 1st than the user's request by the server.

The server receives the request of the attacker first, So Server set the attacker as the owner of the ad. The user can no longer access the ad. In intruder  200 Response was started to receive because at that time 4251071 was present and accessible by the attacker. If the user tried to access the ad with id 4251071, he would receive a 403 error.

How to Make it Works Continuously?

   If we want to work this method continuously, we will need to write a script. I didn't write any scripts, But I showed at the report that the script can be written.
id= 4251071
While 1==1:
        ##Code to check the response of the request
        if response == 404:
                continue
        elif  response == 200:
                id+=1
                continue

Impact

Due to this vulnerability, the site has no technical impact but it has the following business impacts
  • No user can create ads at the site because after attacking that specific ad will belongs to the attacker.
  • To create an ad, the user needs to pay some amount to the site if users are unable to create ads, the income of the site is affected.
If you have any comments or feedback, please post below,
You can follow me at twitter
Thanks for reading

Tags

What's Your Reaction?

like
3
dislike
0
love
2
funny
0
angry
1
sad
1
wow
7