Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

First, I love the fries animation they add for the cursor - I got a good kick out of this. The blog post is about McDelivery from McDonald's bug hunting.

Digging through the website, they noticed it was Angular. They pulled the routes from the minified JavaScript. With no idea what the IDs looked like on the requests, they just tried 0 and 1. To their horror, they were able to get card information of a random cart on the website with this! They found that the order IDs were sequential by playing around with it. A similar issue was found on the ratings API too.

They noticed that when a user goes onto the website, they're given a "Guest" JWT. To me, the proper handling of "Guest" users is complicated. You want the guest to be able to buy things and have their orders be trackable without logging in but it also needs to only be accessible to them. It's a hard problem to solve.

The same IDOR on the order ID worked on both the map for the order, receipts and submitting feedback. This seemed to be all over the website.

The payment flow for an order worked by clicking add to cart then redirecting to the payment process Juspay. When going to checkout as a POST request, it was creating the order. If you tried to modify the order information it wouldn't work because there is an RSA signature generated on the server side. This prevents tampered the request or state issues.

Besides the POST request, there is a PUT request for modifying the order. Unfortunately, this endpoint was vulnerable to a mass assignment vulnerability. Using this, they could update the price and many other fields of the order. Crazy!

This same bug could be used to steal people's orders. It was possible to change the destination location of another cart's address and then reassign the order to your account but only after they paid of course. This requires some crazy timing. But, given the other bugs that contain increment IDs and information disclosure, it seems fairly reasonable to pull off.

The final bug was an issue with scope on JWT tokens. On the McDelivery admin panel, a single API would use consumer website JWTs. This API had KPI reports on them, leading to a serious information disclosure.

Overall, a really fun read! I enjoyed the storistic nature of the post and the notes of complexity on the various components that they tested. The vulnerabilities were nothing crazily fancy but just required some knowledge of the application. For their hardwork, they received $240, which is criminally undervalued.