Introduction:
In the realm of Cybersecurity, the process of uncovering vulnerabilities requires a combination of curiosity, persistence, and technical prowess.
It is through this journey of exploration that I came a cross subdomain, https://cloud.z.xxxxxxx.com, that held the key to a critical vulnerability. What began as an innocuous investigation quickly transformed into a startling revelation — a flaw that allowed access to all buyers’ invoices, potentially exposing their personally identifiable information (PII).
In this writeup, I will walk you through the steps I took, the techniques I employed, and the astonishing discoveries that unfolded as I navigated through this intricate web of digital security.
Reconnaissance and Initial Discovery:
During the reconnaissance phase, I came a cross an interesting subdomain : https://cloud.z.target.com
Its appearance sparked my interest, and I decided to dig deeper into its contents for some enjoyable exploration.
I began with content discovery techniques like Directory Fuzzing, Param Fuzzing, and exploring Archived URLs.
The Promising URL:
I discovered a specific URL in the Wayback Machine:
https://cloud.z.target.com/invoice-download
It immediately caught my attention as it seemed promising.
Curiosity piqued, I proceeded to open the URL in a browser, and to my surprise, the invoice downloaded without any authentication requirement (BAC).
Unveiling the Trick:
The download process took longer than expected …
To investigate further, I examined the Network tab in the developer tools. It revealed several background redirects.
Uncovering the JavaScript Code:
After examining the JavaScript code of the initial response from https://cloud.x.target.com/invoice-download, I discovered a JavaScript variable called AuthToken (please refer to the provided screenshot) and an “APIGEE” API endpoint with its associated variables.
Armed with this information, I constructed a wget command utilizing the obtained data:
~$ wget --header "Authorization: Bearer xxxxxxxxxxxxxxxxxxxx" "https://xxxxxxxxxxxx.apigee.net/customer/v1/getinvoicepdf?InvoiceNo=000000000" -O invoice.pdfThis command allowed me to successfully download the invoice.
Escalation:
Notably, altering the value of “InvoiceNo” grants access to all the invoices on the platform, potentially exposing personally identifiable information (PII) for all buyers. “Accessing All Invoices”
The Alarming Implications:
However, the implications of this vulnerability extended far beyond a single invoice. By manipulating the “InvoiceNo” parameter, I realized that access to all the invoices on the platform could be obtained. This alarming discovery meant that the personally identifiable information (PII) of all buyers was at risk of exposure. To provide clarity, I have attached two screenshots that serve as tangible evidence of the severity of this vulnerability.
Conclusion:
In this writeup, I have presented my journey of uncovering a critical vulnerability that allowed unrestricted access to buyers’ invoices, potentially exposing their personally identifiable information (PII). By delving into the intricacies of the subdomain, employing technical techniques, and piecing together the puzzle, I have shed light on a significant flaw that demands immediate attention and remediation. May this account serve as a testament to the importance of thorough security assessments and the ongoing battle to safeguard sensitive information in an ever-evolving digital landscape.
Feel free to DM me on twitter for any questions.
