Token Issuance Abuse - Unlimited "authenticated" HTTP requests

Disclaimer: This is the free version. The paid pricing is understood to have the option to mandate users to sign in (email authentication) before they can participate and vote.

Have you ever wanted something so bad? I'm sure you have.

This is how this post came about. One day at a townhall, the management decided to use a web application to conduct a Q&A session. Meaning anyone just needs to access a link and you can start posting questions. Want your question to be noticed (the more votes you have, the higher up your question is)? You'd Incognito and vote as many as you can. Got tired of it? You automate it :)

Remember that HTTP is a stateless protocol. For the application to only limit a vote per active connection simply means that something is used to track a visit. Usually comes in the form of HTTP headers (commonly used by OAuth/JWT apps) and Cookies (session IDs, bla3x..). The application we are looking at today uses a HTTP Header, "Authorization: some long string".

It's fairly simple to observe how the application works in the form of HTTP requests. Don't be discouraged by the number of requests going to the server as there are only a few requests that are crucial to automate the voting. Let's break it down.

  1. Accessing an event by code
    Let's say that you are at a conference and you are given an event code to access so you can start asking questions. Below is the sample request/response for the event #test.
    Screen-Shot-2018-06-15-at-22.15.26
    The key and value pair of interest is uuid. I've discovered it to be a unique ID of an event which we will see later is used by the application to perform an API call to obtain an Authorization Bearer token.

  2. Obtaining an authorization token
    Everytime a user visits an event, it is observed that a HTTP GET request is made with the uuid we obtained in step (1) as a parameter to be assigned an access_token.
    Screen-Shot-2018-06-15-at-22.26.00

  3. Making a vote
    The request for making a vote takes two parameters in a REST-URI style format, like so: /api/v0.5/events/<event_id>/questions/<question_id_you_want_to_go_on_top>/like
    Screen-Shot-2018-06-15-at-22.40.03
    The value event_id is obtained from step (1). For the question_id, I obtain it by simply watching the network (Developer's Mode - F12, network tab). You only need to do this once, fret not.


That's it! Simple, right?

Let's start to automate it so that you can get any question you want to be voted up X times. I'm doing it in Go! You can try doing it in your own favourite language.

It's simple. The script takes in an event code, question ID and the number of times you want to upvote the question. If 10 is the number of times you want a question to be upvoted, the script will simply obtain 10 authorization tokens and fire the vote request.

Before
Screen-Shot-2018-06-15-at-22.50.03
Automate

~someshell$ ./main test 4832338 10
Unmarshalling JSON Array response to Struct
520666
42e231bf-c53e-47ae-988c-4eff0c7b81d7
Obtaining 10 tokens
Obtaining tokens...
Obtaining tokens...
Obtaining tokens...
Obtaining tokens...
Obtaining tokens...
Obtaining tokens...
Obtaining tokens...
Obtaining tokens...
Obtaining tokens...
Obtaining tokens...
[f3f6004fbee5957513341a45d2c6396cfa5ca13b ca0a05912fd70bd0e8553ab3f95548a399beab29 2cb43b135d2cf51d9e52dcd4a977fa0b64e53a08 f3b2c45be77e1fedf7ab6c8636ade19df16a1227 659af57a2c43c3bcddb8f69ea95aa40c288e37e2 ebf1e50194a23b20dc6197bb05f82af1d2a387b1 9fc3a461356ce34fc890409f5ca5bf605febb68a 22b55027d2ed4ddf4efc863348019673a070a333 6bea642800fcc47225ff1048f37c07848d22ee20 e7791680a0fdd3fccf832dcf49e03e92ffe7c3e2]
Voted on 4832338 of the event 520666 by 10 times

After
Screen-Shot-2018-06-15-at-22.51.05

I will share the script in the upcoming post. Keep your passion up!

Token Issuance Abuse - Unlimited "authenticated" HTTP requests
Share this