Skip to content

Vulnerability Report: Session Mismanagement / Broken Authentication in Profile Update Endpoint #197

@eMKayRa0

Description

@eMKayRa0

Vulnerability Report: Session Mismanagement / Broken Authentication in Profile Update Endpoint

Summary:

The profile update endpoint (PATCH /api/users/11290) on https://app.aixblock.io/ allows unauthorized modifications to sensitive user profile fields (e.g., first_name, last_name, username) using a captured HTTP request, even after the user has logged out. This vulnerability stems from the server accepting replayed requests in Burp Suite’s Repeater, with or without parameter changes, without validating the session state or enforcing proper authentication checks. The issue indicates inadequate session invalidation and a lack of robust authorization mechanisms, enabling persistent unauthorized updates.

Severity: High (due to unauthorized changes to profile data and potential for account manipulation).

Affected Component: Profile update endpoint (PATCH /api/users/{id}), hosted at https://app.aixblock.io/.

Steps to Reproduce:

Account Creation and Initial Setup:

Register a new account on https://app.aixblock.io/ using a temporary email (e.g., [REDACTED_EMAIL]) and complete the sign-up process.

Log in to the account and navigate to Account Settings > Profile Settings.

Update a profile field (e.g., set first_name to "Bobby_boy") and submit the change to trigger a PATCH request.

Request Capture with Burp Suite:

Configure Burp Suite (Community v2025.6) as a proxy on your browser (e.g., Firefox 140.0) and enable interception.

Capture the PATCH /api/users/[REDACTED_ID] request sent during the profile update and forward it to the Repeater tab.

Drop the intercepted request to prevent the initial update from being applied.

Logout Verification:

Log out of the account by selecting the "Log Out" option, confirming redirection to the login page (e.g., https://app.aixblock.io/user/signup/).

Verify that the session is terminated by attempting to access a protected page (e.g., /user/account) without re-authentication.

Replay the Captured Request:

In Burp Suite’s Repeater, replay the captured request with the original parameters.

Observe the server response (e.g., HTTP/2 200 OK) indicating a successful update, despite the logout.

Modify and Replay with Edited Parameters:

Edit the request body to change multiple fields (e.g., set first_name, last_name, and username to "BAC_POC_BUGBOY07").

Send the modified request and verify the response confirms the update (e.g., updated fields reflected in the JSON response).

Validate Changes:

Log back into the account and navigate to Profile Settings to confirm the changes (e.g., first_name, last_name, and username updated to "BAC_POC_BUGBOY07").

Test for Unlimited Replays:

Repeat the replay process with different values (e.g., first_name to "TestUser123") multiple times to demonstrate the lack of rate limiting or session validation.

Evidence:

Original Captured Request:
text
PATCH /api/users/[REDACTED_ID]/ HTTP/2
Host: app.aixblock.io
Cookie: [REDACTED_COOKIES]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://app.aixblock.io/user/account
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Content-Length: [REDACTED]
Origin: https://app.aixblock.io
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"id":[REDACTED_ID],"uuid":[REDACTED_UUID],"first_name":"Bobby_boy","last_name":"boy","username":"Bobby_Bug","email":[REDACTED_EMAIL],"last_activity":"2025-07-02T16:08:36.208982Z","avatar":null,"initials":"BB","phone":"","active_organization":6744,"is_organization_admin":true,"is_freelancer":false,"allow_newsletters":null,"is_active":true,"is_superuser":false,"is_qa":false,"is_qc":false,"is_model_seller":false,"is_compute_supplier":false,"is_labeler":false,"date_joined":"2025-06-11T22:28:59.188952Z","rank_point_name":null,"point":null,"is_verified":true,"centrifuge_token":[REDACTED_TOKEN]}

Edited and Replayed Request:
text
PATCH /api/users/[REDACTED_ID]/ HTTP/2
Host: app.aixblock.io
Cookie: [REDACTED_COOKIES]
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://app.aixblock.io/user/account
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Content-Length: [REDACTED]
Origin: https://app.aixblock.io
Dnt: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"id":[REDACTED_ID],"uuid":[REDACTED_UUID],"first_name":"BAC_POC_BUGBOY07","last_name":"BAC_POC_BUGBOY07","username":"BAC_POC_BUGBOY07","email":[REDACTED_EMAIL],"last_activity":"2025-07-02T15:56:34.911297Z","avatar":null,"initials":"BB","phone":"","active_organization":6744,"is_organization_admin":true,"is_freelancer":false,"allow_newsletters":null,"is_active":true,"is_superuser":false,"is_qa":false,"is_qc":false,"is_model_seller":false,"is_compute_supplier":false,"is_labeler":false,"date_joined":"2025-06-11T22:28:59.188952Z","rank_point_name":null,"point":null,"is_verified":true,"centrifuge_token":[REDACTED_TOKEN]}

Server Response:
text
HTTP/2 200 OK
Date: Wed, 02 Jul 2025 16:04:38 GMT
Content-Type: application/json
Server: cloudflare
Nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
Allow: GET, HEAD, PATCH, DELETE
Vary: Authorization, Accept-Language, Cookie, Origin
X-Frame-Options: SAMEORIGIN
Content-Language: en-us
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://workflow-live.aixblock.io
Cf-Cache-Status: DYNAMIC
Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=[REDACTED]"}]}
Set-Cookie: [REDACTED_COOKIES]
Cf-Ray: [REDACTED_RAY]
Alt-Svc: h3=":443"; ma=86400

{"id":[REDACTED_ID],"first_name":"BAC_POC_BUGBOY07","last_name":"BAC_POC_BUGBOY07","username":"BAC_POC_BUGBOY07","email":[REDACTED_EMAIL],"password":[REDACTED_PASSWORD],"last_activity":"2025-07-02T16:04:38.481038Z","avatar":null,"initials":"BB","phone":"","active_organization":6744,"is_organization_admin":true,"is_freelancer":false,"allow_newsletters":null,"is_active":true,"is_superuser":false,"is_qa":false,"is_qc":false,"is_model_seller":false,"is_compute_supplier":false,"is_labeler":false,"date_joined":"2025-06-11T22:28:59.188952Z","rank_point":null,"is_verified":true}

Screenshots:

Burp Suite Repeater tab displaying the original request, edited request, and corresponding HTTP/2 200 OK responses.

Browser screenshots of the sign-up page (https://app.aixblock.io/user/signup/), account settings page pre- and post-update, and the login page after logout.

Additional screenshots of multiple replay attempts showing consistent success.

Video (optional): [Secure link to a video recording (e.g., via Google Drive with password protection) demonstrating the entire process from login to replay and validation].

Logs:

Successfully updated first_name, last_name, and username to "BAC_POC_BUGBOY07" on July 2, 2025, at 09:37 PM IST.

Conducted multiple replays (e.g., 5 attempts) with varying values, all accepted by the server.

Testing performed on Windows 10 (64-bit) using Firefox 140.0 and Burp Suite Community v2025.6.

Impact:

Attackers who intercept a PATCH request (e.g., via man-in-the-middle attacks or XSS) can replay it post-logout to modify profile fields. This could lead to:

Account Manipulation: Changing username to impersonate the user or disrupt their account.

Session Fixation: The persistent validity of sessionid and csrftoken post-logout suggests a failure to invalidate sessions, increasing the attack surface.

Unlimited replays allow persistent and repeated unauthorized changes without rate limits or expiration.

Business Risk: Unauthorized profile changes could erode user trust, lead to legal liabilities under data protection laws (e.g., GDPR, CCPA), and result in financial losses if exploited for fraud or identity theft.

Suggested Fixes:

Session Invalidation on Logout:

Implement server-side session token (sessionid) invalidation upon logout by deleting or marking it as expired in the session store (e.g., Redis, database).

Strengthen Authorization Checks:

Add middleware to validate that the user is authenticated for each PATCH /api/users/{id} request before processing updates.

Enhance Profile Field Protection:

Require re-authentication (e.g., password or 2FA) or email verification for changes to sensitive fields like username.

Implement CSRF Protection:

Enforce and validate CSRF tokens (csrftoken) for all state-changing requests to prevent unauthorized replays from external sources.

Introduce Rate Limiting:

Apply rate limits (e.g., 5 requests per hour per IP or session) to the PATCH /api/users/{id} endpoint to mitigate abuse from replay attacks.

Use Short-Lived Tokens:

Reduce the lifespan of session tokens (e.g., 15–30 minutes) and refresh them on each request to limit the window for replay attacks.

Logging and Monitoring:

Log all PATCH /api/users/{id} requests with user IP, timestamp, and parameters, and set up alerts for unusual activity (e.g., multiple updates post-logout).

Environment:

Browser: Mozilla Firefox 140.0

Tool: Burp Suite Community Edition v2025.6

Operating System: Windows 10 (64-bit)

Date/Time: July 2, 2025, 10:07 PM IST

Researcher: BugBoy07

Image

Image

Image

Image

Image

Image

Image

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions