The article is about the report on finding the vulnerability in an application and was able to compromise 3000+ user’s Webhook. I got invited to one of the private programs (ex: xyz.com) on HackerOne.
After looking into the complete functionality of web applications, I get to know that they have webhook functionality.
What is Webhooks?
A webhook (also called a web callback or HTTP push API) is a way for an app to provide other applications with real-time information. A webhook delivers data to other applications as it happens, meaning you get data immediately.
A web application implementing WebHooks will POST a message to a URL when certain things happen. WebHooks are a way to receive valuable information when it happens, rather than continually polling for that data and receiving nothing valuable most of the time.
Steps to Exploit Webhooks in an Application:
After looking into webhook functionality in xyz application, which feature is used to add notification for all branches (CI/CD), where some ID (ex: 1588211) is generating in sequence on every different webhook.
Actually, it was the old target, still, I tried to check for IDOR vulnerability as ID was generated for each webhooks and that was in sequence.
What is IDOR Vulnerability?
Insecure Direct Object References (IDOR) occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example, database records or files. if you want to know more on this refer here: IDOR Vulnerability
There is an option to delete created webhooks for that user. which request looks like below:
PUT /projects/322335/notifications HTTP/1.1
Host: xyz.com
Connection: close
Content-Length: 388{"authenticity_token":"test","notification":{"notifier":"deletewebhook","branch":"admin","build_owner":"all",{"webhook_url":"https://1"},"enabled":false,"id":1588211,"description":"admin""}}We already know that ID in the request body is incremental, so I created one more account and created a few webhooks. So, by changing the ID in the above delete request, was able to delete another user’s webhook.
As this number is in sequence, the attacker can just run burp intruder for $ID$ and delete all user’s webhook running on.
Report:
Later, reported this vulnerability to a particular application team and they fixed the issue within 2 days.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.