Object name Exposure — ING Bank Responsible Disclosure Program

Heading: Object name Or Internal Architecture Getting Exposed because Of Deserialisation Error
NOTE: Usually i only copy/paste my conversation in medium am not having enough time to write these blog posts properly i am sharing this only for learning purpose not for earning my followers. 😐 👊
Hi, I am Rohit Kumar a Security Researcher and Bug Hunter from India.
Vulnerability: Information Disclosure & Internal Architecture Disclosure
— — — — — — — — — — — — — — — -
Reproduction Steps
— — — — — — — — — — — — — — — -
1. Login into => https://developer.ing.com
2. Now go to your Profile for Updating it
3. Edit your name and save it (At this step intercept your request using burp suite)
4. Now, At this endpoint
PATCH /individuals/791345bc-9444–4edc-9955–1b78e86fddfd/individualNames/EifQPFiEYfMiU- 3FODj3sT736QkPuGe4nigpckH2fEqkaitoTfuLjGG3Lu9UDN84DDCkrGf0y8Lx89HLHcUrFfcb HTTP/1.1
Host: api.developer.ing.com
You will notice a json text in request body like this
{“individualName”:{“lastUpdateUser”:”external-id-means”,”firstName”:”Geeky bbc”}}
5. Now, Change “firstName” key to anything like “test”. So, final request body will be like
{“individualName”:{“lastUpdateUser”:”external-id-means”,”test”:”Geeky bbc”}}
6. Now, forward or repeat this request. it will throw a error
Unrecognized field “test” (class com.ing.tpa.onepam.exchange.model.IndividualName), not marked as ignorable (11 known properties: “startDate”, “lastName”, “salutation”, “endDate”, “type”, “firstName”, “secondName”, “links”, “lastUpdateUser”, “initials”, “_links”])
at [Source: (org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$UnCloseableInputStream); line: 1, column: 65] (through reference chain: com.ing.tpa.onepam.individual.json.model.IndividualNameInputMessage[“individualName”]->com.ing.tpa.onepam.exchange.model.IndividualName[“test”])


7. Now, you can . see this is exposing field names, internal object names and architecture.
Few more information
Now, here in this report i would also like to mention that i reported one more vulnerability before this which was received by you on 30 August 2018.
I sent you snapshots of PoC and after receiving that report you guys Rejected it and mentioned that this is false positive and this bug not exist. Now, tell me if its false positive how i reproduced it? Lets say my snapshots are fake okay? Now, tell me how i am able to insert 7 lakh characters into your database and i am having strong proof you can check my developer.ing.com account you will get dozens of app created by me which is having around 6 lakh characters. I reported it ethically but i don’t believe you guys are doing it in ethical way.
We should do our own work ethically. If your community will behave ethically everyone will behave ethically.
Thanks,
Rohit Kumar

Comments

Post a Comment

Popular posts from this blog

Security Bugs in Practice: SSRF via Request Splitting

One of the most interesting (and sometimes scary!) parts of my job at Mozilla is dealing with security bugs. We don't always ship perfect code – nobody does – but I'm privileged to work with a great team of engineers and security folks who know how to deal effectively with security issues when they arise. I'm also privileged to be able to work in the open, and I want to start taking more advantage of that to share some of my experiences. One of the best ways to learn how to write more secure code is to get experience watching code fail in practice. With that in mind, I'm planning to write about some of the security-bug stories that I've been involved in during my time at Mozilla. Let's start with a recent one:  Bug 1447452 , in which some mishandling of unicode characters by the Firefox Accounts API server could have allowed an attacker to make arbitrary requests to its backend data store. The bug: corruption of unicode characters in HTTP request path It...
Read more

Vine User’s Private information disclosure

Image
Hello  readers, This is  Prial Islam  a security researcher from Bangladesh . This is a old finding of mine adding into my blog . Today I will write about a Critical   IDOR vulnerability that will lead to  Information Disclosure   what allowed me to get any Vine user’s sensitive information including   Ip address/phone no/email  . I reported this bug to Twitter Security team in their  Bug Bounty Program in Hackerone  and they Rewarded me with a amount of  7560$ for  this report  . $$$$ + Blog post permission 😾 😇 Vine has issued a statement regarding this vulnerability on their  Vine blog Post here  and also Hackerone mentioned this vulnerability in hackerone  Zerodaily Newslatter  . Vulnerable Endpoint  :- https://vine.co/api/users/profiles/<User Id> When I was testing vine domains for something interesting . I noticed the Endpoint what response wa...
Read more

User Account Takeover [Password Change]— Nice Catch!

Image
Writeup By Rohit Kumar Image Credits: Record Future Ever thought how you are implementing and passing data from the form to your queries? You are doing it dynamically? Summary : In this writeup, I will explain how I was able to change the user account password without providing the old password. This writeup will be short. I will not take much time. About Target:  Target was From a private program. So, let’s assume the target is site.com Reproduction steps: Login into your site.com account. Navigate to  https://www.site.com/users/[user_id]/edit Now, you will see a form which allows you to edit your account details and there is also another option to change your current password which requires your old password but this can be bypassed easily. Now, for bypassing this change password feature. Just edit your account details and then submit this request and meanwhile intercept it. Now you will notice some $_POST fields which will be like user[first_...
Read more