Write-up author: jon-brandy
A client asked me to perform security assessment on this password management application. Can you help me?
- NONE
- After installed the apk and opened it, enter your host then intercept the request you send at the login page.
INTERCEPT USING BURP
REPEATER
- Let's create a user then.
CREATING USER (REGISTER)
- Great at the response tab we can see our role and id.
- This could be IDOR vuln, but there's no id parameter at the request.
- After logged in, we have an
updatefeature which we can utilize to change other user password by their id, if there is id parameter when we do update request.
DO REQUEST - Opened manage.php - turns out there is no id param.
- Stuck for a while until i tried to register a username
adminand it saysusername already taken.
CREDS ENUMERATION VULN
- Knowing this, let's try to change the password again but this time change the username as admin and the password as random strings.
Do login again using the account we've made before and intercept request for update account.
- Great! Now let's do login again.
RESULT
- Got the flag!
HTB{b4d_p@ss_m4n@g3m3nT_@pp}