14

Follow up to: https://devrant.com/rants/5047721/....

1- The attacker just copy pasted its JWT session token and jammed requests on the buy gift cards route
2- The endpoint returns the gift card to continue the payment process, but the gift card is already valid
3- Clients wants only to force passwords to have strong combinations
4- Talk about a FIREWALL? Only next month
5- Reduce the token expiration from 3 HOURS to 10 minutes? Implement strong passwords first
6- And then start using refresh tokens

BONUS: Clearly someone from inside that worked for them, the API and database password are the same for years. And the route isn't used directly by the application, although it exists and has rules that the attacker kows. And multiple accounts from legit users are being used, so the person clearly has access to some internal shit

Comments
  • 4
    Those dumb mother fuckers better not try and blame you.
  • 3
    @Demolishun they won't. I'll grab my coffee now and work on some shit
  • 2
    Dropping the token lifetime isn't the solution, how did it leak in the first place? MitM I hope? In Which case there's not much you can do with it. If the network is compromised then even 5 second token is a threat, just more spaced out, but not by much

    Why is the card returned before payment?! That's your real issue...

    The other is obviously the network, not https? Or what?
  • 2
    @Hazarth https.

    The gift card returns before the transaction completes bc that thing that managers love: priority shifting. They said they knew, but other things always where more important (in 3 years of existence).

    If they're inside the network? We don't know. Their API is a black box, I can't run it locally and deploys to dev environment are made by hand by one of their "IT" guys. The same happens with their infrastructure, no logs, no monitoring...

    It may have leaked by: People running a scam and agreeing to receive some money for giving their credentials or the attacker has access to the database
  • 2
    @ChristoPy couldn't it also be a normal user using a valid token of theirs but just using a script to ram the server for fun? Could you get multiple cards if you do it fast enough?
  • 2
    @Hazarth could be, but we can't differentiate
  • 3
    What a trainwreck
Add Comment