added finearts blog

source/_posts/web_exploitation_at_finearts.md

@@ -0,0 +1,63 @@
+---
+layout: post
+title: Web Exploitation at FineArts, IITR
+readtime: true
+date: 2024-03-19
+subtitle: -- written by j4ck4l and sh4dy
+tags: [web,jwt,authorization]
+---
+
+
+# Pentesting Finearts Website
+
+
+# Introduction
+The FineArts Club, IIT Roorkee is a group of talented artists who organise various workshops throughout the year. These workshops are open to everyone on the campus and aim to teach various forms of art ranging from Origami to Pencil Sketching. Being InfoSec enthusiasts, we always ensure that the resources of our fellow campus groups stay secure. Therefore, we tried to scan for any form of vulnerabilities lying on the website waiting to be exploited. We found several vulnerabilities and were able to successfully exploit them too. After doing a responsible disclosure of the bugs to the maintainers of the website, we have prepared this writeup which basically demonstrates the whole scenario from bug finding straight to its exploitation.
+
+
+##
+
+
+Roaming around the website we found a route `/admin` which surprisingly had a registration page where any arbitrary user could create a new account. So after creating a new account we got access to all the functionalities available on the page. However, a user created in this way is assigned the role `user` by default which doesn't have enough privileges to do anything intriguing.
+
+
+![functionalities](../assets/finearts/func.png)
+
+
+It is clearly visible that we have different features such as creating and viewing new artworks, artists, viewing information about orders,etc.
+
+
+Creating a new artist or an artwork via the admin panel gave us a `401 unauthorized error`. Therefore, we decided to use BurpSuite to capture the request. Using Burp Suite, we captured the request and quickly found a JSON Web Token (JWT) in the request headers. Using [jwt.io](https://jwt.io/), we decoded the Json Web Token and got the following payload.
+
+
+![jwt](../assets/finearts/jwt.png)
+
+
+It’s clearly visible that the JWT payload has a special value `UserRole` which was set to `user` by default. This means that any new user created via the admin panel would be assigned the role `user` which doesn’t have enough privileges to create new artists and artworks. Therefore, we decided to perform privilege escalation in order to gain elevated privileges (for example, admin).
+
+
+We tried common exploits of JWT such as `Weak Key Attack` and it worked. We used jwt_tool to crack the JWT and the signature key we found was surprisingly empty which is a bad practice in terms of web security.
+
+
+
+
+
+![jwt_crack](../assets/finearts/jwt_cracked.png)
+
+We sent the same request again with the forged token. And yesss we added the artwork successfully.
+
+![added_artwork](../assets/finearts/added_artwork.png)
+
+ Similarly, we were able to control other features such as creating new artists, editing and deleting orders, updating price of artworks, creating new events, etc.
+
+The following changes were reflected on the original website:
+
+![exploit1](../assets/finearts/exploit1.png)
+
+![exploit2](../assets/finearts/exploit2.png)
+
+![exploit3](../assets/finearts/exploit3.png)
+
+![exploit4](../assets/finearts/exploit4.png)
+
+All hail **InfoSecIITR**!!