JWT misconfiguration and PII sensitive information leak

Hi guys, Its David again, your favorite software developer and Security Researcher. I am back again with another report for you. Like i promised, i would make sure to be documenting all my bug findings. Had a busy week, so i utilized the weekend to make this report more resourceful. Let’s dive into the real business of today !!.

They are two bugs in this context. The first is a JWT misconfiguration bug, and the second being a PII sensitive information leak. I would emphasize more on the latter.

Let’s call the application - redacted.com

Redacted is a Healthcare system with different roles such as Patients, Clinics and Admins. I was actually conducting a penetration test on the application on a Friday. We were actually trying to test our implementations so far. Being one of the developers of the platform with a cybersecurity experience, i was given a task to conduct a day pentest on a particular section. As weird as it sounds, i mean a 24 hours pentest. Initially, i thought it would be impossible to achieve something presentable within a day. But then, i decided to give it a try and planned on how to prove a point that 24 hrs is a really small period of time to get something meaningful out a pentest 😂.

Let’s start !
I decided to start my tests from authentication endpoints. The unauthenticated parts didn’t seem to contain much more resource, they were basically blog write ups. For blog applications, if they are no input fields to test for maybe an XSS or HTML Injection, i perform some fuzzing to discover juicy/hidden endpoints. While i started fuzzing in another background, I found an authentication bug. The Accesstokens issued on registration does not expire on logout. Even after logout, those tokens were still valid and every requests sent with them went through. I didn’t see this much as a bug, because i tried to perform an XSS to send these tokens over. But unfortunately, it didn’t work as planned, else there would be much a case to prove an Account Takeover (ATO) bug.

Let’s talk out the second bug.

Like i said earlier, they are 3 roles on the application. I started by navigating through the entire app with my Burpsuite put in place to capture all request. I created a clinic account to have an overview of all the endpoints/functionalities within the clinic’s context, then logged out and created a patient account with the same intent of getting an overview before i plan my attack methodology.

Being, logged in as a patient, I then decided to see if i could access some routes designated to the clinic. After some while, i accessed the route “api/v1/clinic/?page=1&page_size=100” and BOOM !!!!. I got PII info logged in a patient. It displayed 100 sensitive clinic info such as email, phone and db_name.

And i reported this to the company and got appraised .
Thanks for reading !!!! See you later !