Summary:
Misconfigured Role Based Access for MTech Integrated Summer Internship Project Registration Service in VTOP Portal , I could able to view/access other students Summer Internship project details , could able to download the file and edit them
- API Route :
POST /vtop/summer/ViewStudentRegistrationDetailsPage HTTP/1.1
Host: vtop.vitap.ac.in
- OWASP Security Vulnerability : A01:2021-Broken Access Control
- Expected Severity : Medium (6.5)
- Expected Weakness : Information Disclosure
- Tools used : Chromium , Burpsuite 2024
- Suggested fix : API Rate Limiting , Implement token-based download URLs with expiration , Implement Tracing and Centralized log alerts on API
Proof of concept :
Got the API requests proxied from burpsuite and sending it to the Intruder
Locating the project ID and adding as API payload variable (Using my own CSRF token )
Add the payload dictionary in the brupsuite intruder
Bruteforcing for API Content Retrieval of Project Data , Misconfigured data leak
Demo : https://www.youtube.com/embed/FpmfaGwH3kE?si=_iicYWxgznpTy0EX
Misconfigured RBAC (Role Based Access) Behaviour :
After Intercepting the ViewStudentRegistrationDetailsPage sub API Route , changing/replacing into another existed project ID from intercepted API body
Got the Access to files and edit access to the others form
Expected Behaviour
My Registration form content for example β
