It is being used gunicorn:
JWT tokens are being used:
Iโll create an account:
I can now use the endpoint /search to find valuable info about myself:
If you capture this request you can see the JWT token:
Furthermore, there is another endpoint called /visit inside /app/bot/routes.py:
Inside the visit() function there is a call to another function called bot_thread(uri), so Iโll inspect it:
Basically if you append the Authorization header it makes a request to a file I specify, so Iโll try it:
Inside /app/main/routes.py there is a conditional which matches just subpaths starting with profile:
So Iโll repeat what I did before but trying one extension cached by Nginx:
Now I can perform a GET request as the code says to /profile.png:
Procedure:
- Log in as a regular user: register, log in, and obtain a JWT.
- Send a POST request to
/visitwith JWT token inAuthorizationheader{"uri": "profile.png"}. - The bot logs in as admin and makes a GET request to
/profile.png. - Nginx sees the
.pngextension, matches the caching rule, and stores the backendโs response (the JSON containing the adminโs data). - After a short while, you make a GET request to
/profile.png. - Nginx already has the cached response and serves it to you without requiring a token, exposing the adminโs sensitive data (including the
api_key/flag).