🧵Another hacker story thread!🧵
=== Penetrating a Porn Site ===
How I hacked access to the most sensitive areas of a porn site using only low severity vulnerabilities.
Here's how I did it... 👇
🚨follow, retweet, & like for more hacker stories!🚨 1/x
I was once contracted to do a penetration test on a porn site. This site was more than your average view-only site. It had community functions to: - share images privately with other members - had private paid cam access - DMing - and a store for sexy gifts! 2/x 👇
I started with normal usage of the site, registering my own account on each of the websites. The goal set by the client was to access a restricted set of photos in a certain account, plus notify them of any other security vulnerabilities I found. 3/x 👇
I uploaded photos of my own, purchased an item, sent DMs, & paid for access to a private cam. In other words, just used the site as a normal user. This is when I noticed some rather racy things. It's important to understand a few things about security testing... 4/x 👇
In penetration tests & bug bounties, you are paid & appreciated in tiers. Each security bug you find is worth a certain amount & reporting lower-tier "informational" bugs are often unpaid or frowned upon.
⚠️Never fail to document/report a bug, no matter how small.⚠️
5/x 👇
The 1st bug I noticed was the site had a very lax password policy. These days a password of just numbers & letters is brute-forced in minutes. Website owners need to enforce a complexity requirement. This site only required numbers/letters. Only 5 characters minimum. 6/x 👇
The next bug was neither the login, registration, or forgot password pages had rate limiting enabled. This meant I could spam logging in, creating accounts, & resetting passwords. 7/x 👇
Bug 3: The site also responded with different error messages if you tried to register or use the forgot password function with a user email that already existed. Something like: "That email has already been registered" for the registration page. & ... 8/x 👇
"Password reset sent" vs "Email not found" on the forgot password page. While this was enough to start brute-forcing accounts with large lists of public emails and passwords, the next bug really did the site in. The site also allowed login by username or email. 9/x 👇
💀When resetting a password, the site sent you a temporary password, then later asked you to change it. It used the bad password complexity rules to set the temporary password. 💀 10/x 👇
I quickly reset the password to the account the owner had asked me to prove access to, and then brute-forced the temporary password. I was in. I also ran the simple brute-force against 5 character accounts and found that most users only used the minimum complexity. 11/x 👇
Often, there is an admin user to a site like this. I attempted to reset "admin" & "administrator" It worked, I had complete access to the admin of the site. I could ban, feature, & impersonate any user. 😬 I could artificially inflate the user count of the site. 😬 12/x 👇
Having achieved almost ultimate access, I had a lot of time to look for more technical vulnerabilities. I found several insecure direct object reference vulnerabilities... 13/x 👇
When using the site to upload images the site sent a POST request to something like: /upload/[randomNumber]/[guid] The random number above was a user identifier number. It was sequential and guessable... 14/x 👇
I went into my account, started to upload a photo, traped the request in a proxy, & replaced the randomNumber with another. My image uploaded to another user's account. I could also use a similar tactic to change the names of their photos, descriptions, & album names 15/x 👇
The same identifier was used in the private cam room screening, so I paid for one access to a private cam show and then changed its randomNumber to another. I now had access to all cam shows. They were also easy to download. 16/x 👇
Almost lastly, I found several cross site scripting vulnerabilities in the site by adding XSS payloads to uploaded videos and images metadata. I also found a web app on a high port that showed web server debug info, something like: www.redactedPornSite:8765/debug 17/x 👇
☠️And finally, their store had a SQL Injection bug in an "id" parameter. I had access to all their customer orders. ☠
Testers always fuzz anything with "id" in it.
That's it for now!
🚨follow, retweet, & like for more hacker stories!🚨 18/x
Thank you so much fun to read