Importance of web application audit

This weekend, I got a request from a friend of mine to review the security of a web application he and his team were working with. He knows my passion for reviewing the security-related problems in applications and within an hour I was able to send him a report explaining a large security breach they had in the web application.

It was a bad design of the application which created the whole problem, maybe something that was created by a human mistake or from the lack of communication of technical lead with frontend and backend developers.

Every web application in the world has different endpoints which some of them are protected or some not. 

A lot of sophisticated applications have different protection mechanisms.

Some applications are developed using role-based authentication where the user gets access to different endpoints based on his role and some others are using access-list control which gives the user access to different resources (endpoint). Other applications use different ways of protection.

In my review, I found that the forget-password endpoint in backend was protected, to request this endpoint the user needs a valid token, since the user forgot the password, in local storage, there is no valid token.

To bypass this, the frontend developer found a workaround, he request an valid admin token and then calls forget-password endpoint. 

This was the security breach, the frontend developer requests an admin token and then request forget-password endpoint. Since the request was made by the frontend, I was able to sniff the request and was able to get clientId and clientSecret, with those two parameters I was able to create unlimited admin tokens.

After I was able to get an admin token I decoded the JWT to see what permissions this token has, based on permissions I started to guess endpoints.

I found some endpoints, but the most valuable endpoints were user-related endpoints.

I had a call with my friend and after he approves that the hotfix was made on this system, I tested again the endpoint and the security breach is not there anymore, that's why I share this article.

As I said in some older posts it is time to audit IT systems.