Auth Bypass Via Exposed Credentials

How we got there

So it was on one of those days, i was feeling bored and kinda alone. When i feel like this i usually divulge into some hacking (to fill that void😃) So off i went to Intigriti and i saw that a program i followed had an update (funny story was i didn't recall having followed the program but i may have as well did, i get forgetful sometimes)

After checking out the program lets call it xboy why, i found that they had *.xboy.me on scope and they were rewarding bounties for it, upto €1500 for an exceptional bug.

So i said why not, up to this point the highest severity i ever got for my bug was high (3 times) via payment bypass (Write-ups below) or Home.

So after i took the domain i headed to c99 Subdomain finder, pasted the domain and clicked start scan (No other tool you ask[still bored remember]). Found several hundred domains.

Now i visted all the domains one by one i eventually got to a domain chat.xboy.me that redirected to microsoft online sso. But during the redirect it loaded the javascript files as most common JavaScript Frameworks connecting to a nodejs backend. Like the PHP EAR Vulnerability

I stopped the redirect to microsoft online sso by doing a view-source:https://chat.xboy.me. Found the main js file that was under https://chat.xboy.me/js/index.js

Since i new the backend was written under NODEJS i started searching for the NODE_ENV variable. I saw that it had refrence like the following

{NODE_ENV:"production",VUE_APP_ADMIN_URL:"https://ADMIN.xboy.ME",VUE_APP_VLS_BASIC_AUTH:"Basic Y2hhdG1ldXA6b250d2l0dGVyMHgwMSEK",VUE_APP_ENV:"PROD",VUE_APP_USEBOUNCER_API_KEY:"AKGjgdkgailgilutyuiqwkJGIKGiwegyw0",VUE_APP_VERSION:"1.33.7",BASE_URL:"/"}

After seing this i remember visiting https://admin.xboy.me which resulted in a 401 unauthorized error. To test the validity of the auth basic creds i requested the https://admin.xboy.me/favicon.ico which had previously returned a 401 error and this time i got a 200 OK

GET /favicon.ico
HOST: admin.xboy.me
Authorization: Basic Y2hhdG1ldXA6b250d2l0dGVyMHgwMSEK

I was in and i could see so much information that was clearly not intended for the public. I felt good but was honestly scared a little, that feeling of getting a critical severity bug + being inside a government server was overwhelming at first.

I immediately stopped testing and wrote a report including sceenshots and embedded the vulnerable code snipplet on my report.

Reproduction Steps

Headed to https://chat.xboy.me/js/index.js
Searched and found the NODE_ENV values
Visited https://admin.xboy.me to see 401 error
Now add the creds chatmeup:ontwitter0x01! with chatmeup as the username & ontwitter0x01! the password
Now i have access to a lot of data data
I stopped testing at this point. But i believed an attacker can leverage this to escalate further.