top of page
Search
Writer's pictureJason Haddix

Penetrating a porn site

🧵Another hacker story thread!🧵


=== Penetrating a Porn Site ===




How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities.


Here's how I did it... 👇


🚨follow, retweet, & like for more hacker stories!🚨 1/x



I was once contracted to do a penetration test on a porn site. This site was more than your average view-only site. It had community functions to: - share images privately with other members - had private paid cam access - DMing - and a store for sexy gifts! 2/x 👇

I started with normal usage of the site, registering my own account on each of the websites. The goal set by the client was to access a restricted set of photos in a certain account, plus notify them of any other security vulnerabilities I found. 3/x 👇


I uploaded photos of my own, purchased an item, sent DMs, & paid for access to a private cam. In other words, just used the site as a normal user. This is when I noticed some rather racy things. It's important to understand a few things about security testing... 4/x 👇


In penetration tests & bug bounties, you are paid & appreciated in tiers. Each security bug you find is worth a certain amount & reporting lower-tier "informational" bugs are often unpaid or frowned upon.

⚠️Never fail to document/report a bug, no matter how small.⚠️


5/x 👇


The 1st bug I noticed was the site had a very lax password policy. These days a password of just numbers & letters is brute-forced in minutes. Website owners need to enforce a complexity requirement. This site only required numbers/letters. Only 5 characters minimum. 6/x 👇


The next bug was neither the login, registration, or forgot password pages had rate limiting enabled. This meant I could spam logging in, creating accounts, & resetting passwords. 7/x 👇


Bug 3: The site also responded with different error messages if you tried to register or use the forgot password function with a user email that already existed. Something like: "That email has already been registered" for the registration page. & ... 8/x 👇


"Password reset sent" vs "Email not found" on the forgot password page. While this was enough to start brute-forcing accounts with large lists of public emails and passwords, the next bug really did the site in. The site also allowed login by username or email. 9/x 👇


💀When resetting a password, the site sent you a temporary password, then later asked you to change it. It used the bad password complexity rules to set the temporary password. 💀 10/x 👇


I quickly reset the password to the account the owner had asked me to prove access to, and then brute-forced the temporary password. I was in. I also ran the simple brute-force against 5 character accounts and found that most users only used the minimum complexity. 11/x 👇


Often, there is an admin user to a site like this. I attempted to reset "admin" & "administrator" It worked, I had complete access to the admin of the site. I could ban, feature, & impersonate any user. 😬 I could artificially inflate the user count of the site. 😬 12/x 👇


Having achieved almost ultimate access, I had a lot of time to look for more technical vulnerabilities. I found several insecure direct object reference vulnerabilities... 13/x 👇


When using the site to upload images the site sent a POST request to something like: /upload/[randomNumber]/[guid] The random number above was a user identifier number. It was sequential and guessable... 14/x 👇


I went into my account, started to upload a photo, traped the request in a proxy, & replaced the randomNumber with another. My image uploaded to another user's account. I could also use a similar tactic to change the names of their photos, descriptions, & album names 15/x 👇


The same identifier was used in the private cam room screening, so I paid for one access to a private cam show and then changed its randomNumber to another. I now had access to all cam shows. They were also easy to download. 16/x 👇


Almost lastly, I found several cross site scripting vulnerabilities in the site by adding XSS payloads to uploaded videos and images metadata. I also found a web app on a high port that showed web server debug info, something like: www.redactedPornSite:8765/debug 17/x 👇

☠️And finally, their store had a SQL Injection bug in an "id" parameter. I had access to all their customer orders. ☠


Testers always fuzz anything with "id" in it.


That's it for now!


🚨follow, retweet, & like for more hacker stories!🚨 18/x







5,943 views1 comment

Recent Posts

See All

1 Comment


Frank xayachack
Frank xayachack
May 03, 2022

Thank you so much fun to read


Like
bottom of page