Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Sam Curry decided to hit the auto industry. This ranges from BMW to Ferrari.

First, they were looking at a platform with a custom SSO. They started with OSINT tools like gau and ffuf, to find a WADL file with the exposed API endpoints. While trying to make requests, they noticed that wildcards could be used to find query names. Another route totp returned a 7 digit number for password resets, given a user ID! This allowed for a complete compromise of all the dealer portals.

While reviewing the Mercedes-Benz infrastructure, they noticed the usage of LDAP for all employee related things. Even though the main site didn't have a register function, they found the URL umas.mercedes-benz.com for repair shop tool access which DID allow for registration. These LDAP credentials could then be used on Github and various other portals they discovered. This lead to code execution in many places and major info disclosure.

The author was mapping out Kia when they came across kdealer.com, where dealers can register account to activate connect fo customers. kiaconnect.kdealer.com could be used to enroll a VIN but required a valid session to work. While reversing the client side JavaScript, they noticed the header prelogin could give them somewhat of a valid session to perform some actions.

Sadly, this continued to give errors. So, the authors took a valid session token from owners.kia.com and appended it to the request on the original site. This allowed them to create a valid vehicle initialization session to start taking over a car. Once again, adding the prelogin allowed them to generate a dealer token to pair the vehicle to our own account. With this, the car could be remotely controlled.

Ferrari CMS appeared to have backend credentials within the JavaScript frontend. They found an API endpoint that shared all of the routes for the backend, as well as credentials for these endpoints. With access to this information, it was possible to perform many sensitive operations, such as modify users, edit user roles and much more.

Spireon is a company similar to OnStar. While doing recon, they noticed the ancient site admin.spireon.com. Since this was behind auth and everything led to a redirect, they tried a simply SQL injection: admin'#. Luckily, this site was before security was a thing, leading to a login bypass. This could be used to perform admin actions like track cars. Neat!

But, we're not done with this endpoint yet. Anything with 'admin' would return a 403 - a denylist. So, they fuzzed the endpoint and learned that %0dadmin would break the list but still return the normal page. With this admin portal, a malicious actor could backdoor all of the devices and leak a ton of information.

Reviver is a site that implements virtual license plates. A company had a JSON object associated with them. One of these fields was type, for the user type. While reviewing the JavaScript, they learned about several other users, such as CORPORATE. By changing the role parameter, which is NOT shown in the request, the role of our account was changed.

Even with this, many authorization errors were given. So, the author had to create a user account with their new permissions. Now, the permissions worked as expected. The vulnerability above is called a mass assignment bug, since the parameter edit wasn't unexpected but updated the underlying object. This admin account gave them full access to customer information and allowed for modifications as well.

Two things of note for me. First, lots of internal things being exposed publicly. Since the various complicated sites have to operate together with the same core functionality, this is bound to happen. Many of these issues, such as the SSO bugs, only exist because of the attack surface as a whole and not just an issue with the website.