Full transcript of ai-recon-500-bug. Source: https://www.youtube.com/watch?v=kmm1Y_QZqjY

Hello everyone. Welcome back to the new video. And I’m so grateful to you all because we have reached 20,000 plus subscribers by now. And this is crazy. I really wasn’t expecting this. I was asking for at least 15k subs. But yeah, here we are. And now [music] let’s get into the video. So today’s topic is about the bug that I found about a logic flaw [music] that let me delete any users I mean the admin users data through an IDOR. So I’ll tell you how I found this bug, how I analyzed it cuz it was not a normal IDOR. I’ll tell you how I did my analysis as well as I’m going to show you a lab that I created which replicates the real application a lot [music] so you’ll understand it better. Okay. So let’s get into it. [music] So I have the application already running and [music] in my web browser you can see this is how this looks like. I created a demo lab. Obviously this was more complex than this. there’s a lot more functionality but yeah so there were different types of role like admin normal user admin could create multiple user a user who could have read permission [music] or edit permission or just a normal invite user who doesn’t have any permission yet I don’t know there were like multiple of them I think uh you could customize it a lot so much of customization but I’m keeping it pretty simple here just a normal admin user and a login user so if I log in as admin. [music] You can see here are some functionality admin UI and it is only visible to admin. So there are some options like retail A, retail B, retail C [music] and these things have both delete and edit option and create option [music] but I found a IOR in delete operation cuz I was able to delete a retail ID of admin [music] despite being a normal user. I shouldn’t be able to even see this in my UI. But [music] yeah, so that’s why I have created uh the delete buttons here cuz I’m going to demonstrate you. And let me log out and login as user. So this is a normal user who doesn’t have much permissions. I cannot see that UI as well because that is only for admins. But let me show you some endpoints in the back end. There must be here. Yeah. So as you can see get profile this is the normal user and this is the normal user data. Cool. Now what we want to do here is let me log out and [music] log in as admin. Turn off intercept and I’m going to capture this uh delete [music] operation. So here is the delete operation. This is how it looks like. So as you can see it says vendor, retail, chain, delete and a particular ID. So this ID was four in digit really similar [music] I would say not similar exactly as same of how that delete request looked like. I’ll show you the write up as well after this which I have written for that bug. [music] But yeah and here we can see the HTTP method is delete. And over here we also have this ID. [music] But in this case the ID worked uh from the bot in the URL. So if you try to change it here it might not work but in this case it will work. So let’s send this request to repeater [music] and I’m going to drop this request because we don’t want to delete it from admin. We want to delete it with a normal user privileges. Let me log out and login is user intercept on capture [music] the request and here we have the profile. I’m going to send this to repeater as [music] well. Now let me maximize this so you can understand it better. As you can see here we have a JWT token. So if I click on this JWT token tab, you can see the [music] claims header and payload and everything. So this is a normal user and this request we captured on the user with admin privileges. This one is different as you can see the role here is admin. So this endpoint is only available to admin or should be. So now what I’m going to do here is I’m going to take the JWT token this whole thing of a normal user copy it and go here and paste it. So now I’m trying to perform this delete operation with the session tokens or the JWD token of a normal user. So if you send this request normally it should say 401 or 403 forbidden. [music] You’re not allowed to do that because you don’t have the permission to do so. Like I have pasted this token of low privilege user here and I can show you the proof. As you can see this is low privilege user. Let me send the request and it says 200. Okay, success. And it says owner is actually admin but still I was able to delete it. Okay, let’s confirm it if we have actually deleted it. I’m going to log in as admin over here and you can see retail A is gone. It means an attacker can enumerate [music] ids here because it’s just hoarded. It’s pretty easy to enumerate. They can just brute force [music] it and we’ll be able to perform this delete operation on admin’s account without having permission to do so. So, this is really crazy. So, as you can see, it says retail chain. Basically, this was related to some uh retail stores cuz this was a seller application where you could sell stuff uh at your products and add business uh owners or employees or anyone who want to collaborate on that. So, there was more to it. Now, let me show you the write up. So, now it’ll make more sense cuz I’ve just showed [music] you whole practical view. It’s over here. Okay, so this is the write up that I wrote and this earned me $500 for this single id that leads to unauthorized deletion. Let me maximize it. Okay, so I have written more details about the application here. Let me read it for you. And as I said, due to response to our disclosure policies, I cannot review you the actual target. But this platform is a vendorf facing web application designed to facilitate business partnerships and it enables organization to manage thirdparty vendors through a structured onboarding process and it contains different types of functionalities like user invitation, account activation, [music] role assignment, retail ID management. So this retail ID management is the one that I exploited [music] and as I said there were so many roles with granular permissions and everything but [music] yeah actually this application led me to found multiple errors. This is just one of them that I’m showing you that uh allowed me to perform that delete [music] operation. So you can definitely read this if you like reading it. But I wanted to show you a practical view. That’s why I created that lab. So yeah, as you can see, this is literally same as the one I showed you except the name of the uh JW token is token WBAI. So everything else remains same. And the way I just showed you is exactly how you test for access controls and idors. If you want to automate it, of course, you can use authorize for it. It will make things much easier for you. But I wanted to show you like how things works first then only you should automate stuff. [music] So that’s how it was working and I hope you learned something new from this bug. Now a lot of you will think okay I understand how this works. I know how to test for it but I’m not able to find such kind of application and that’s the game of bug bounty. You have to recon in a way to find such applications before other bug hunters do or basically if they miss even if they find it. So you have to be faster in that and you have to speed up your recon and try different kind of tools or even if you know the same tools you have to speed it up right and for that I’m going to introduce you this tool panel.ai AI which is also the sponsor of this video. So, thank you so much for sponsoring this and let me show you how this works now. Okay, so let me give you a quick introduction of pen legend.ai which is the world’s first agentic AI hacker. So you can just simply download this from this download button and you can do this for KI and Mac and for Windows it will be coming soon. But yeah, it’s pretty easy to install. Once you download it, all you have to do is run this command. Let me show you. DPKG and then you can just depackage this step file [music] and once it’s done just search up pen legend and you’ll see it over here. Then you can just run it and you will get this UI which is pretty interesting and I’ll tell you everything how it works. This is going to be a game changer for your bug bounty hunting and pentesting. Okay. So once you have it installed, you can go to settings and from there you will see a little login button here cuz I have already created account. Uh I’m seeing my email and user settings and stuff but you’ll see a login button and once you click on the login button you will be redirected to the login page where you can just provide your email resolve the capture and once your email is verified it will automatically log you in pennigent AI and once you’re all set you can simply start testing your target. Okay, so let me give you a quick overview. In the left side, you can see chat history. Then over here you see task overview where it does all kind of phases that comes in pentesting like recon and asset discovery, scanning, vulnerability identification, vulnerability exploitation, verification and it also generates a report for you. So it’s pretty easy. On the right side you will see the status results and risk. [music] But let me provide a target. So as you can see I have this uh OS2 shop running over here. So this is my target. I’m going to copy the IP address. You can also provide uh the domain name or the IP address. So I’m just going to provide the IP address here just like this and send. It’s going to think and do some processing and it will give you a list of commands like what commands to run on it. And here you can see all the commands. So here you also have the option to uncheck and check [music] a command. For example, if you want to run these commands, just keep it checked. But let’s say I don’t want to um [music] run this command. Okay, let’s say this one. So I’m going to uncheck it like this. And I want to leave rest as is. You can see the simplest thing here is you usually have to type all these commands in your terminal to do reconnaissance and everything. But this tool is giving you all the commands. All you have to do is just click on this execute selected tools. Now the next step is started. Tool execution is in progress. Oh, by the way, Penleent has more than 200 plus integrated tools in it. And as you can see, it’s analyzing the results of each tool. Over here it says [music] analysis and over here you can see the results. So every tool that you run you will see a results of each command over here like this end mapap and uh this curl command and you can see successfully retrieved robots.txt for this particular and it has this disallow FTP. So you can also see what’s the content of that file. So if you are performing brute force you can see all those results over here. So it’s pretty easy for you. Okay. So here’s the result of wet web as well. Let me click to expand. And you can see a better view now. It’s showing you the title, the headers like over here you can see the user agent it’s using and some basic stuff like the headers, server headers. Okay. On the left side you can see the task overview tabs are glowing in blue because this is what’s happening. Okay. Now here you can see it’s saying comprehensive security testing plan. It already generated a plan for you. You have to provide your target and it will create a plan for you of how you’re going to perform this test. So it has generated multiple tools for you and again you can select it or unselect it. So I’m going to unselect the nicto one and I’m going to leave the go buster on which I think will take a little bit of time but it’s fine. Let’s execute selected tools again. So now it’s analyzing tool execution results means it’s going to analyze the results it got from the drules that were run before like these. So it has already found some critical findings and the [music] first finding is SQL injection which is really critical because SQL injection allows you to retrieve any data from the database. So this was the evidence of what was run and what’s the impact, what’s the confidence. It’s showing you everything. It’s also telling you that it is error-based SQL injection. So that’s crazy. Another is directory listing enabled on FTP. Another is broken access control admin API exposed and it allows access without authentication and it’s again showing you the impact and the confidence and again we have another finding that is detailed stack trace exposure. So this is pretty crazy as well. It’s also showing the express version. If you want to do comprehensive exploitation and further testing, it’s going to generate more commands for you. For example, it has found that the application is vulnerable to SQL injection. But to enumerate for more findings like to actually exploit um to get more results, you have to run SQL map, right? That’s what you usually do when you are testing. But again, you don’t even have to type or think of the command. It has created command for you. All you have to do is just run it. And of course again you can see all the results over here as well. And in the risk tab you can see all the findings you got. And over here you can see you can also export this penetration testing report. Okay. I hope this makes you understand now how you can utilize this tool to speed up your recon process either your pen testing or bug hunting. So you should definitely check it out. I’ll provide the link in the description. Okay guys that’s it for today’s video. I hope you enjoyed watching it and I hope you learned something new from this one. Let me know your thoughts in the comments section [music] and I’ll see you in the next one.