Potentially Juicy Leak?

pisteuo · June 26, 2019, 2:17am

Hello all! So, I stumbled upon something semi-interesting, I am just trying to figure out a better way to enumerate and see if I get anymore information:

Sending the below request:

	GET /v1/invite-stats-by-invitee/WlUjMu/ HTTP/1.1
	Host: api.hostdomain.com
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
	Accept: application/json, text/plain, */*
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	If-Modified-Since: Mon, 26 Jul 1997 05:00:00 GMT
	Origin: https://hostdomain.com
	DNT: 1
	Connection: close
	Referer: https://hostdomain.com/?i=WlUjMu

Responds with:

	{"url":"https://api.hostdomain.com/v3/invite-stats-by-invitee/WlUjMu/","fullname":"First and Last Name","user":{"picture":"https://api.hostdomain.com/userprofile-image/11761/","first_name":"Firstname"},"key":"WlUjMu","send_reminders":true,"extras":"{}"}

The WlUjMu is the value from a JSON “key” parameter; however, I need to find a way to enumerate that string. I sent the domain with the /userprofile-image/11761 to Intruder and I’m getting valid information by finding user profile pics; however, I can’t associate those ID’s with their respective JSON “key” parameter to get more information on those users. It does not appear to be Base64 and Intruder is not working the way I intended it to. Is this a red herring or would this be something valid to continue to pursue? If so, is there an easier way to enumerate a string such as that in Intruder (or another way)? I have been frying my brain here and I think I’m looking too deep into it.

ARKADA · June 28, 2019, 9:16am

So intruder could do this. It’s ‘customer’ iterator then assign 6 different payloads and assign the keyspace ‘So a-z and A-Z’. But then with that level of entropy you’re looking at over 400,000,000 requests… :S
There are probably other ways to do this with other tools but Intruder can do it fine…

pisteuo · June 28, 2019, 1:25pm

Hello @ARKADA, yeah, that was my challenge. That’s what I didn’t intend Intruder to do. I am not finding an easier way to do it and I honestly don’t want to waste the time if it’s a red herring. Thank you for your reply, I appreciate it!

ARKADA · June 28, 2019, 1:46pm

Don’t let it discourage you. I’d still try but place a throttle on it (like 1-2 requests a second) and let it run in the background to see if you can pick up any valid keys. Just because the maximum entropy is in the hundreds of millions, doesn’t mean they might have other flaws (sequential keys, key sizes smaller than the maximum, etc.) Then of course, try to fuzz it as usual (different HTTP methods, null values, numbers, different encodings, etc.)

pisteuo · July 1, 2019, 3:36pm

Thank you for your comments @ARKADA, I appreciate the assistance here!

Topic		Replies	Views
Need Help or Guidance on Potential Bug Web Hacking	8	1899	May 29, 2019
New - Learned Things - No Bounties Yet Starter Zone	7	2869	May 21, 2022
LevelUp 0x03 - Turbo Intruder: Abusing HTTP Misfeatures to Accelerate Attacks by albinowax LevelUp Conference	1	3379	December 11, 2019
Am I on the verge of my first bug found? Starter Zone	5	2160	May 16, 2018
Possible API Key Leak? Web Hacking	6	4501	July 20, 2022

Potentially Juicy Leak?

Related topics