Hacking one of the largest Legal tech in MENA

Ahmad Mansour
3 min readApr 25, 2024

--

Hello everyone, i am Ahmad Mansour, 18y old penetration tester from Lebanon ( Web, API, Network, Active Directory and abit of mobile basic pentesting ), without wasting time lets dive into the writeup of today.

Just before we continue, this is a penetration test and not part of a bug bounty, so you might see some vulnerabilities that might not be really reported to a bb program, ill be discussing multiple vulnerabilities from multiple severities that i found.

Lets call the platform app.com, its a platform to let users hire lawyers online, and even let the lawyers manage their clients on the application, the project was assigned to me and i start testing the app.

I wont be explaining the vulnerabilities or the technologies itself used, i assume you already have the basics, ill go directly to the vulnerabilities exploitation

1- Vulnerability Number one, Complete Access into all Users Information and complete access to impersonate any user, this vulnerability was due a JWT secret token leak, i was able to find the secret token through a .env file leaked in one of the subdomains of the target, it was a beta website, but the same JWT secret was used in the main app also !

Steps to exploit:

  • i logged in as a normal user at app.com, got a JWT token
  • Constructed a small script to change the JWT token using the JWT secret

import jwt

# Your original JWT token
original_jwt = ‘your.jwt.token.here’
# The secret used for encoding and decoding the JWT
secret = ‘your_jwt_secret’

# Decode the JWT without verification just to see its content (not recommended for production)
decoded_payload = jwt.decode(original_jwt, algorithms=[“HS256”], options={“verify_signature”: False})
print(“Original Payload:”, decoded_payload)

# Modify the payload
# Example modification: change the ‘user’ field
decoded_payload[‘user’] = ‘new_user_value’

# Re-encode the JWT with the same secret
encoded_jwt = jwt.encode(decoded_payload, secret, algorithm=”HS256")
print(“Modified JWT:”, encoded_jwt)

This was my script to decode, reconstruct a JWT token using the leaked secret key, make sure if you want to use it to change the ALGO of the encryption used depending on your target, but most of the time its HS256, and sure change the parameters, mine was ID not user but i did dropped the script and you can change whtvr you want

The impact was very dangerous due to the ability to construct any JWT token, impersonating any user and doing any action on his behalf.

2- Vulnerability Number Two, Email verification bypass allowed me to register under the email of any user/company, we can say its like a Pre-Account takeover

Steps to reproduce:

1 — On the register endpoint, once i submitted my details, the respones was returning a hash_token , i took note about this hash, and went to my email to check how is the verification email looks like

and it was something like: app.com/Email/Verification?token=…

and i noticed that the token= is the same value that it was in the response, so simply an attacker would copy that value and insert in the link, bypassing any email, and imagine the impact here being able to verify any email .. especially on a legal tech platform.

3- Vulnerability Number three, an IDOR allowing me to see any other legal firm, lawyer information !

This was a typical IDOR on a specefic API call, IDOR is generaly simple to find, just click on all buttons/requests and see if there is any identification you can change, an id, phone, email, UUID or any thing that identifies another user, sure there is some tricks to play around IDOR, but thats the main idea of it.

the api Call was:

/api/Data/Folders/Files/getAllFiles?file=ID

And here was the response, exposing cases of lawyers and their clients !

I have found also multiple sensitive vulnerabilities, these are just three, if you would like to see more real life vulnerabilities on real pentest, let me know in the comment so i post more writeups, have a good day ! ❤

--

--

Ahmad Mansour
Ahmad Mansour

Responses (2)