🧵Another hacker story thread!🧵
=== Penetrating a Porn Site ===
How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities.
Here's how I did it...
👇
🚨follow, retweet, & like for more hacker stories!🚨
1/x
=== Penetrating a Porn Site ===
How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities.
Here's how I did it...
👇
🚨follow, retweet, & like for more hacker stories!🚨
1/x
I was once contracted to do a penetration test on a porn site.
This site was more than your average view-only site. It had community functions to:
- share images privately with other members
- had private paid cam access
- DMing
- and a store for sexy gifts!
2/x
👇
This site was more than your average view-only site. It had community functions to:
- share images privately with other members
- had private paid cam access
- DMing
- and a store for sexy gifts!
2/x
👇
I started with normal usage of the site, registering my own account on each of the websites.
The goal set by the client was to access a restricted set of photos in a certain account, plus notify them of any other security vulnerabilities I found.
3/x
👇
The goal set by the client was to access a restricted set of photos in a certain account, plus notify them of any other security vulnerabilities I found.
3/x
👇
I uploaded photos of my own, purchased an item, sent DMs, & paid for access to a private cam.
In other words, just used the site as a normal user.
This is when I noticed some rather racy things.
It's important to understand a few things about security testing...
4/x
👇
In other words, just used the site as a normal user.
This is when I noticed some rather racy things.
It's important to understand a few things about security testing...
4/x
👇
In penetration tests & bug bounties, you are paid & appreciated in tiers.
Each security bug you find is worth a certain amount & reporting lower-tier "informational" bugs are often unpaid or frowned upon.
⚠️Never fail to document/report a bug, no matter how small.⚠️
5/x
👇
Each security bug you find is worth a certain amount & reporting lower-tier "informational" bugs are often unpaid or frowned upon.
⚠️Never fail to document/report a bug, no matter how small.⚠️
5/x
👇
The 1st bug I noticed was the site had a very lax password policy.
These days a password of just numbers & letters is brute-forced in minutes. Website owners need to enforce a complexity requirement.
This site only required numbers/letters. Only 5 characters minimum.
6/x
👇
These days a password of just numbers & letters is brute-forced in minutes. Website owners need to enforce a complexity requirement.
This site only required numbers/letters. Only 5 characters minimum.
6/x
👇
The next bug was neither the login, registration, or forgot password pages had rate limiting enabled.
This meant I could spam logging in, creating accounts, & resetting passwords.
7/x
👇
This meant I could spam logging in, creating accounts, & resetting passwords.
7/x
👇
Bug 3: The site also responded with different error messages if you tried to register or use the forgot password function with a user email that already existed. Something like:
"That email has already been registered" for the registration page.
& ...
8/x
👇
"That email has already been registered" for the registration page.
& ...
8/x
👇
"Password reset sent" vs "Email not found" on the forgot password page.
While this was enough to start brute-forcing accounts with large lists of public emails and passwords, the next bug really did the site in.
The site also allowed login by username or email.
9/x
👇
While this was enough to start brute-forcing accounts with large lists of public emails and passwords, the next bug really did the site in.
The site also allowed login by username or email.
9/x
👇
💀When resetting a password, the site sent you a temporary password, then later asked you to change it.
It used the bad password complexity rules to set the temporary password. 💀
10/x
👇
It used the bad password complexity rules to set the temporary password. 💀
10/x
👇
I quickly reset the password to the account the owner had asked me to prove access to, and then brute-forced the temporary password.
I was in.
I also ran the simple brute-force against 5 character accounts and found that most users only used the minimum complexity.
11/x
👇
I was in.
I also ran the simple brute-force against 5 character accounts and found that most users only used the minimum complexity.
11/x
👇
Often, there is an admin user to a site like this. I attempted to reset "admin" & "administrator"
It worked, I had complete access to the admin of the site.
I could ban, feature, & impersonate any user. 😬
I could artificially inflate the user count of the site. 😬
12/x
👇
It worked, I had complete access to the admin of the site.
I could ban, feature, & impersonate any user. 😬
I could artificially inflate the user count of the site. 😬
12/x
👇
Having achieved almost ultimate access, I had a lot of time to look for more technical vulnerabilities.
I found several insecure direct object reference vulnerabilities...
13/x
👇
I found several insecure direct object reference vulnerabilities...
13/x
👇
When using the site to upload images the site sent a POST request to something like:
/upload/[randomNumber]/[guid]
The random number above was a user identifier number. It was sequential and guessable...
14/x
👇
/upload/[randomNumber]/[guid]
The random number above was a user identifier number. It was sequential and guessable...
14/x
👇
I went into my account, started to upload a photo, traped the request in a proxy, & replaced the randomNumber with another.
My image uploaded to another user's account.
I could also use a similar tactic to change the names of their photos, descriptions, & album names
15/x
👇
My image uploaded to another user's account.
I could also use a similar tactic to change the names of their photos, descriptions, & album names
15/x
👇
The same identifier was used in the private cam room screening, so I paid for one access to a private cam show and then changed its randomNumber to another.
I now had access to all cam shows. They were also easy to download.
16/x
👇
I now had access to all cam shows. They were also easy to download.
16/x
👇
Almost lastly, I found several cross site scripting vulnerabilities in the site by adding XSS payloads to uploaded videos and images metadata.
I also found a web app on a high port that showed web server debug info, something like:
www.redactedPornSite:8765/debug
17/x
👇
I also found a web app on a high port that showed web server debug info, something like:
www.redactedPornSite:8765/debug
17/x
👇
☠️And finally, their store had a SQL Injection bug in an "id" parameter. I had access to all their customer orders. ☠️
Testers always fuzz anything with "id" in it.
That's it for now!
🚨follow, retweet, & like for more hacker stories!🚨
18/x
Testers always fuzz anything with "id" in it.
That's it for now!
🚨follow, retweet, & like for more hacker stories!🚨
18/x
Loading suggestions...