How I Hacked Bong Visal App and Cisco NetAcad in 2019

1 Comments

Sorry for the clickbait!

Don’t get me wrong. I didn’t hack-hack them but more like “uh-oh, your app has issue and I’m just a curious nerd with Burp Suite and no weekend plans".

This was conducted for educational purposes only. I do not engage in any illegal hacking activities.

So yeah… I had the ability to reset or login to all accounts on two those two, and that’s why I’m merging both stories into one article.

Back in 2019, I was just a offsec guy with a laptop, Burp Suite, and a caffeine addiction. While others were out on dates or doing gym stuff, I was in my room, gently searching on web security vulnerbilities for fun. These days? I'm a peaceful boomer in cybersecurity terms.

Image

This is the story of how I reported a very criticle vulnerabilities (aka white hacked?) his app and a very big company, Cisco Networking Academy. Yes. That Cisco.

Note: Hacking is not about tools but just with common sense and some tricks


Case 1: Login to any account with OTP Bruteforce

As I remembered that year, he was announcing bug bounty on his app. So I had a look. logging into App and I noticed in login endpoint /api/v2/login/check?token=132a898f73c82e&phone=

  • OTP was only 4 digits. That’s 0000–9999.
  • There was a rate limited feature (which was abandoned)
  • You could guess as many times as you want

There is "attempt" parameter in response after submit but maybe it’s not used.

Image

how it was exploited

  1. Requested OTP /api/v2/token/otp?token=...
  2. Sent all the possible OTPs — 0000 to 9999 — like I was playing a slot machine

Image

Image

  1. After several thousand of attempts, Ding-ding-ding! OTP matched, I could see the 200 response code. Got the OTP and was able to use it to access the account.

Image


Case 2: Cisco Netacad – Change Anyone’s Password with IDOR

Cisco, oh Cisco. You were providing cybersecurity and network to the world, but forgot to security your own site. (sorry, it’s chatgpt text)

  1. On Netacad’s profile edit page, you could change your password (without entering the current one)

Image

  1. And the form had a very helpful hidden field called userId

Image

How I “Hacked” It

  1. Logged into my own Netacad account. Innocent.
  2. went to group/landing/edit-user-profile
  3. Captured the POST request when changing password. _netacaduserprofile_WAR_netacaduserprofileportlet_userId=MY_ID
  4. Changed it to someone else's ID. Boom! that user's password is changed.

Why It Worked

  1. No check to see if I actually owned that userId.
  2. No current password required.
  3. userId was visible in public profiles. Or guessable. Or bruteforceable. Basically, it was begging to be hacked.

read more about IDOR at https://portswigger.net/web-security/access-control/idor

Lessons Learned

  • will write later.
Sliden
Sliden commented

lets go gambling ahh hack i love this