Full Report
Sam Curry decided to hit the auto industry. This ranges from BMW to Ferrari. First, they were looking at a platform with a custom SSO. They started with OSINT tools like gau and ffuf, to find a WADL file with the exposed API endpoints. While trying to make requests, they noticed that wildcards could be used to find query names. Another route totp returned a 7 digit number for password resets, given a user ID! This allowed for a complete compromise of all the dealer portals. While reviewing the Mercedes-Benz infrastructure, they noticed the usage of LDAP for all employee related things. Even though the main site didn't have a register function, they found the URL umas.mercedes-benz.com for repair shop tool access which DID allow for registration. These LDAP credentials could then be used on Github and various other portals they discovered. This lead to code execution in many places and major info disclosure. The author was mapping out Kia when they came across kdealer.com, where dealers can register account to activate connect fo customers. kiaconnect.kdealer.com could be used to enroll a VIN but required a valid session to work. While reversing the client side JavaScript, they noticed the header prelogin could give them somewhat of a valid session to perform some actions. Sadly, this continued to give errors. So, the authors took a valid session token from owners.kia.com and appended it to the request on the original site. This allowed them to create a valid vehicle initialization session to start taking over a car. Once again, adding the prelogin allowed them to generate a dealer token to pair the vehicle to our own account. With this, the car could be remotely controlled. Ferrari CMS appeared to have backend credentials within the JavaScript frontend. They found an API endpoint that shared all of the routes for the backend, as well as credentials for these endpoints. With access to this information, it was possible to perform many sensitive operations, such as modify users, edit user roles and much more. Spireon is a company similar to OnStar. While doing recon, they noticed the ancient site admin.spireon.com. Since this was behind auth and everything led to a redirect, they tried a simply SQL injection: admin'#. Luckily, this site was before security was a thing, leading to a login bypass. This could be used to perform admin actions like track cars. Neat! But, we're not done with this endpoint yet. Anything with 'admin' would return a 403 - a denylist. So, they fuzzed the endpoint and learned that %0dadmin would break the list but still return the normal page. With this admin portal, a malicious actor could backdoor all of the devices and leak a ton of information. Reviver is a site that implements virtual license plates. A company had a JSON object associated with them. One of these fields was type, for the user type. While reviewing the JavaScript, they learned about several other users, such as CORPORATE. By changing the role parameter, which is NOT shown in the request, the role of our account was changed. Even with this, many authorization errors were given. So, the author had to create a user account with their new permissions. Now, the permissions worked as expected. The vulnerability above is called a mass assignment bug, since the parameter edit wasn't unexpected but updated the underlying object. This admin account gave them full access to customer information and allowed for modifications as well. Two things of note for me. First, lots of internal things being exposed publicly. Since the various complicated sites have to operate together with the same core functionality, this is bound to happen. Many of these issues, such as the SSO bugs, only exist because of the attack surface as a whole and not just an issue with the website.
Analysis Summary
# Tool/Technique: OSINT Tools (gau, ffuf)
## Overview
A set of open-source intelligence (OSINT) tools utilized for reconnaissance. In this context, they were used to map out external attack surfaces, specifically searching for misconfigured files or endpoints exposed publicly.
## Technical Details
- Type: Tool
- Platform: Linux, macOS, Windows (via compatible environments)
- Capabilities: Web asset discovery, content and endpoint enumeration.
- First Seen: N/A (General reconnaissance tools)
## MITRE ATT&CK Mapping
- TA0043 - Reconnaissance
- T1595 - Active Scanning
- T1595.002 - Internet Service Scanning
- T1598 - Information from Other Web Services
## Functionality
### Core Capabilities
- **gau ('gau' - GoAss in the wild):** Used primarily for discovering endpoints by parsing publicly available assets (like GitHub repositories or crawled data) to find forgotten or unlinked web paths.
- **ffuf:** A fast web fuzzer used for discovering hidden content, directories, or parameters on web servers by intelligently trying a vast list of possibilities.
### Advanced Features
- Used here in conjunction to find specific artifacts like a WADL file, which exposed API definitions.
## Indicators of Compromise
- N/A (These are benign reconnaissance tools used by the adversary to initiate attacks)
## Associated Threat Actors
- General security researchers and penetration testers.
## Detection Methods
- Detection focuses on the *outputs* or *behavior* of the tools against the target infrastructure (e.g., high-volume requests, discovery of sensitive endpoints).
## Mitigation Strategies
- Robust internal network segmentation and strict monitoring of external scanning activity.
- Minimizing information leakage through public code repositories or documentation.
## Related Tools/Techniques
- Other asset discovery tools like Nmap, GoBuster, DirBuster.
***
# Tool/Technique: Exposed WADL File Utilization
## Overview
The technique of discovering and exploiting a Web Application Description Language (WADL) file. WADL files describe the structure and capabilities of RESTful web services, which, if publicly exposed, directly hand an attacker the blueprint for interacting with an API.
## Technical Details
- Type: Technique
- Platform: Web APIs (Client/Server interaction)
- Capabilities: Automatic API documentation parsing, endpoint mapping, parameter identification.
- First Seen: N/A (Associated with historical SOAP/REST services)
## MITRE ATT&CK Mapping
- TA0043 - Reconnaissance
- T1595 - Active Scanning
- T1598.001 - Web Services
## Functionality
### Core Capabilities
- Discovery of all available API endpoints, HTTP methods (GET, POST, etc.), and expected URL parameters.
### Advanced Features
- Enabled the identification of specific query names for effective fuzzing and exploitation attempts.
## Indicators of Compromise
- Presence of exposed WADL or OpenAPI/Swagger documentation files in web-accessible paths (e.g., /api/wadl/, /services/api.wadl).
## Associated Threat Actors
- General web application attackers.
## Detection Methods
- Monitoring web server logs for requests to known documentation file paths (`*.wadl`, `*.yaml`, `*.json` API specs).
## Mitigation Strategies
- Never expose API specification files (WADL, Swagger/OpenAPI docs) to the public internet.
- Implement strict access controls on all API documentation endpoints.
## Related Tools/Techniques
- Exploitation of Swagger/OpenAPI interfaces for API mapping.
***
# Tool/Technique: API Endpoint Wildcard Parameter Discovery
## Overview
A technique where an attacker discovers that an API endpoint supports the use of wildcards (e.g., `*`) within parameter values, allowing for broader enumeration or bypassing initial validation checks to find valid query names.
## Technical Details
- Type: Technique
- Platform: API Gateways/Web Services
- Capabilities: Bypassing strict parameter matching, enumerating available functions/queries within an API backend.
- First Seen: N/A
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- T1550 - Use Alternate Authentication Material (Less direct, but relates to enumeration)
- TA0010 - Exfiltration
- T1048 - Exfiltration Over Alternative Protocol (If used for data retrieval)
## Functionality
### Core Capabilities
- Validating or discovering the names of internal API queries by substituting known inputs with wildcard characters.
### Advanced Features
- Exploited in the context of an SSO/SSO platform (BMW/Ferrari context implied) to map out system functionality.
## Indicators of Compromise
- Logs indicating repeated requests to API endpoints using wildcard characters in query strings.
## Associated Threat Actors
- Security researchers, penetration testers.
## Detection Methods
- Web Application Firewalls (WAFs) or API gateways should flag unusual character usage in query parameters during routine traffic.
## Mitigation Strategies
- Implement strict allow-lists for expected parameter values.
- Validate and sanitize all input parameters to explicitly reject wildcard characters unless they are specifically intended and securely handled.
## Related Tools/Techniques
- Fuzzing techniques used to discover valid parameters.
***
# Tool/Technique: Exposed 7-Digit TOTP Endpoint for Password Reset
## Overview
A critical vulnerability identified where an API endpoint designed for password resetting exposed a static, 7-digit numeric code when supplied with a valid User ID, effectively bypassing multi-factor authentication (MFA) or second-factor checks.
## Technical Details
- Type: Technique/Vulnerability (IDOR variation)
- Platform: Authentication/SSO Systems
- Capabilities: Complete account takeover (ATO) by obtaining the needed password reset code without user interaction or expected knowledge.
- First Seen: N/A
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1110 - Brute Force
- T1110.003 - Password Guessing: Client-Side Guessing (Indirectly, as the code is static and guessable/known)
- TA0006 - Credential Access
- T1110 - Brute Force
## Functionality
### Core Capabilities
- Receiving the required one-time password (OTP) or Time-based One-Time Password (TOTP) surrogate needed to complete a password reset process for any user, leading to full portal compromise.
### Advanced Features
- The number was a fixed "7 digit number," suggesting poor entropy or a default configuration flaw in the token generation/retrieval mechanism.
## Indicators of Compromise
- High volume of password reset requests targeting specific User IDs followed immediately by successful password changes or account lockouts.
## Associated Threat Actors
- Adversaries seeking administrative or dealer access.
## Detection Methods
- Monitoring for password resets that do not correlate with user-initiated actions (e.g., no associated email link clicks or MFA prompts).
- Alerting on static or low-entropy tokens being used during authentication flows.
## Mitigation Strategies
- Ensure all password reset tokens and TOTP codes are cryptographically random, high entropy, and time-bound.
- Never expose sensitive verification codes via API responses unless absolutely necessary, and even then, only after full secondary authentication.
## Related Tools/Techniques
- IDOR (Insecure Direct Object Reference) utilized to target specific user sessions/IDs.
***
# Tool/Technique: LDAP Credential Reuse (SSO Bypass via Infrastructure Misconfiguration)
## Overview
A technique involving finding infrastructure that relies on Lightweight Directory Access Protocol (LDAP) for identity management and successfully leveraging credentials found via one portal (e.g., a repair shop tool) to gain access to unrelated, higher-privilege systems (like GitHub, cloud deployment services).
## Technical Details
- Type: Technique
- Platform: Enterprise Infrastructure (Windows/Linux servers supporting LDAP services)
- Capabilities: Horizontal movement across an enterprise environment by exploiting credential reuse policies.
- First Seen: N/A
## MITRE ATT&CK Mapping
- TA0008 - Lateral Movement
- T1021 - Remote Services
- T1021.001 - Remote Desktop Protocol (Indirectly, by gaining initial service access)
- TA0002 - Execution
- T1059 - Command and Scripting Interpreter (Linked to RCE findings)
## Functionality
### Core Capabilities
- Obtaining valid employee credentials through a separately vulnerable web portal (Mercedes-Benz repair shop tool).
- Using these credentials to authenticate against other internal services protected by the centralized LDAP directory (e.g., GitHub, Jenkins).
### Advanced Features
- This facilitated access to build servers (Jenkins), source code repositories (Github), and internal cloud deployment tools, leading directly to Code Execution.
## Indicators of Compromise
- Authentication logs showing successful logins from unusual external IPs or services using employee credentials for systems where those employees rarely log in (e.g., a dealership employee logging into a Jenkins build server).
## Associated Threat Actors
- Credential attackers, APTs focusing on internal network discovery.
## Detection Methods
- Monitoring for successful logins from credentials derived from low-security contexts being used in high-security contexts.
- Implementing Zero Trust principles to limit lateral movement based on role/service context.
## Mitigation Strategies
- Implement strict segmentation between different application environments.
- Implement Privileged Access Management (PAM) and enforce MFA, especially on critical infrastructure like source control and build servers.
- Avoid credential reuse across disparate security domains.
## Related Tools/Techniques
- Password Spraying, Kerberoasting (if Active Directory/LDAP is present).
***
# Tool/Technique: Client-Side JavaScript Reversal for Session Token Extraction (Kia)
## Overview
The exploitation technique of reversing client-side JavaScript code to discover internal API routes, specific required headers (like `prelogin`), and methods for session token manipulation necessary to perform restricted actions.
## Technical Details
- Type: Technique
- Platform: Web Browsers (Client-Side Code)
- Capabilities: Discovering non-obvious authentication requirements, identifying secret endpoints, and manipulating session states.
- First Seen: N/A
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- T1027 - Obfuscated Files or Information
- T1027.001 - Compiled Languages (JavaScript is interpreted, but the intent is similar to analyzing prepared code)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
## Functionality
### Core Capabilities
- Used to find the existence of a `prelogin` header that provided a "somewhat valid session."
- Identified the precise sequence of actions required to initiate vehicle initialization (VIN enrollment).
### Advanced Features
- Successfully combined a session token obtained from a known good portal (`owners.kia.com`) with the required, discovered `prelogin` header on the target portal (`kdealer.com`) to forge a multi-step authorization flow, enabling vehicle takeover.
## Indicators of Compromise
- Traffic analysis showing requests containing the non-standard `prelogin` header.
- Successive API calls that follow a specific, complex choreography (e.g., Session -> Enrollment -> Vehicle Pairing).
## Associated Threat Actors
- Attackers focused on web application security analysis.
## Detection Methods
- Rate-limiting and stricter validation on endpoints supporting VIN enrollment or vehicle pairing.
- Monitoring for unexpected headers in production traffic.
## Mitigation Strategies
- Never embed critical logic, sensitive headers, or required session manipulation steps solely within client-side JavaScript. All session validity checks must occur server-side.
- Utilize proper server-side authorization checks for multi-step processes like vehicle initialization.
## Related Tools/Techniques
- JavaScript analysis tools (e.g., browser developer consoles, static analysis tools).
***
# Tool/Technique: Server-Side Credential Leakage in Frontend JavaScript (Ferrari)
## Overview
A vulnerability where sensitive backend credentials (API keys, authorization headers) intended for server-to-server communication were inadvertently embedded directly within the client-side JavaScript files served to the browser.
## Technical Details
- Type: Technique/Vulnerability
- Platform: Web Frontend (JavaScript bundles)
- Capabilities: Direct acquisition of secrets granting immediate access to backend API functionality without standard authentication.
- First Seen: N/A
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1552 - Unsecured Credentials
- T1552.001 - Credentials in Files
- TA0001 - Initial Access
## Functionality
### Core Capabilities
- Discovery of an API endpoint schema listing all backend routes.
- Acquisition of explicit credentials/secrets for those backend endpoints.
- Allowed attackers to perform highly sensitive operations like modifying user roles and managing administrator accounts.
### Advanced Features
- Provided knowledge of all internal API routes necessary for deep interaction with the backend CMS.
## Indicators of Compromise
- Security scanning tools detecting hardcoded credentials or API keys within source code artifacts.
- Backend API logs showing high-privilege requests originating from unusual, non-client IP addresses or user agents.
## Associated Threat Actors
- Attackers utilizing automated scanning for exposed secrets.
## Detection Methods
- Integrating secret scanning into CI/CD pipelines to prevent check-in of credentials.
- Monitoring outgoing traffic for unauthorized API calls made using hardcoded credentials.
## Mitigation Strategies
- Strictly prohibit storing any backend secrets, especially long-lived credentials, in client-side code.
- Use short-lived, scoped tokens issued server-side for frontend access, or rely on session-based authentication enforced server-side.
## Related Tools/Techniques
- GitLeaks, TruffleHog (tools used to find secrets in source code).
***
# Tool/Technique: SQL Injection Login Bypass (Spireon)
## Overview
Exploiting an ancient login portal (`admin.spireon.com`) using classic SQL Injection (SQLi) techniques to bypass authentication mechanisms.
## Technical Details
- Type: Technique/Vulnerability (SQL Injection)
- Platform: Legacy Web Application (Database-driven authentication)
- Capabilities: Authenticating to an administrative portal without valid credentials.
- First Seen: N/A (Classic vulnerability)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1190 - Exploit Repository.
- TA0002 - Execution
- T1059.006 - Command and Scripting Interpreter: Python (If used to craft payload)
## Functionality
### Core Capabilities
- Using the input `'admin'#` in the login field to terminate the SQL query prematurely, resulting in a successful authentication bypass.
- Gained access to an administrator panel controlling tracking and potential deployment commands for millions of connected vehicles.
### Advanced Features
- Discovery of a secondary bypass mechanism: A denylist blocked requests containing `'admin'`, but fuzzing with `%0dadmin` (which represents a carriage return) successfully circumvented the denylist while still executing the intended login bypass logic.
## Indicators of Compromise
- Database logs showing unescaped single quotes or comment characters (`#`, `--`) being supplied to authentication queries.
- Web application logs showing disproportionate traffic against login endpoints containing SQL syntax.
## Associated Threat Actors
- Attackers targeting legacy or unpatched systems.
## Detection Methods
- Input validation/sanitization on all database interaction points.
- WAF rules tuned to detect common SQL injection payloads targeting login fields.
## Mitigation Strategies
- Patching or decommissioning ancient systems entirely.
- Using parameterized queries (prepared statements) for all database interactions, rendering injected SQL ineffective.
## Related Tools/Techniques
- SQLMap (a tool commonly used to automate SQLi exploitation).
***
# Tool/Technique: Privilege Escalation via HTTP Denylist Bypass (%0d injection)
## Overview
A specific technique used to bypass weak input filters (denylists) on an application endpoint by inserting non-printable characters, such as carriage returns (`%0d`), that confuse the filtering logic but do not break the functional syntax of the malicious input.
## Technical Details
- Type: Technique
- Platform: Web Application Backend Filtering
- Capabilities: Circumventing basic security checks designed to block keywords like "admin."
- First Seen: N/A
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- T1556 - Compromise Software Supply Chain (If used to modify a dependency behavior)
- TA0007 - Discovery
- T1046 - Network Service Scanning (Implied, as fuzzing led to discovery)
## Functionality
### Core Capabilities
- Identified that the string `admin` was blocked, but inserting a carriage return character (`%0d`) before it bypassed the filter logic, allowing the request to still process as intended (in this case, triggering the login bypass).
### Advanced Features
- Showcases the fragility of simple denylist filtering compared to comprehensive allowlist or context-aware input validation.
## Indicators of Compromise
- Web request logs containing non-standard or control characters like `%0d` or `%0a` being submitted as parameters to sensitive endpoints.
## Associated Threat Actors
- Attackers proficient in manipulating low-level HTTP request encoding.
## Detection Methods
- Decoupling input filtering from simple string matching; inputs should be parsed based on expected character sets, not just blocked lists.
- Inspecting requests for encoded control characters near known sensitive keywords.
## Mitigation Strategies
- Use allowlist validation for input parameters over deny-listing.
- Ensure server-side logic correctly sanitizes and decodes input before any filtering or processing occurs.
## Related Tools/Techniques
- Fuzzing to discover filter bypasses.
***
# Tool/Technique: Mass Assignment Vulnerability (Reviver)
## Overview
A vulnerability where an application blindly maps incoming request parameters onto an internal object model without checking if the fields being updated are intended for user modification. This allowed an attacker to change a hidden field (user type/role) that was not present in the standard request.
## Technical Details
- Type: Vulnerability (Mass Assignment/Insecure Object Reference)
- Platform: Web API / Backend Data Handling
- Capabilities: Unauthorized privilege escalation by modifying unexposed object properties.
- First Seen: A long-standing class of vulnerability, but effective here against Reviver's user update mechanism.
## MITRE ATT&CK Mapping
- TA0004 - Privilege Escalation
- T1078 - Valid Accounts
- T1078.003 - Cloud Accounts (If linked to platform access)
- TA0005 - Lateral Movement
## Functionality
### Core Capabilities
- The system accepted an unexpected parameter (`type` or similar role parameter) during a user update, which was mapped directly to the user object's internal role field.
- Changing this role to `CORPORATE` or an administrative equivalent granted elevated permissions.
### Advanced Features
- The vulnerability required the client to first create a standard user account, suggesting the permissions only took effect upon re-authentication or subsequent interaction after the role was updated via the mass assignment flaw.
## Indicators of Compromise
- API logs showing PUT/POST requests attempting to update fields that are not typically exposed in user modification forms (e.g., fields named `role`, `admin`, `is_super_user`).
## Associated Threat Actors
- Attackers focused on rapid privilege escalation in web applications.
## Detection Methods
- Security testing that intentionally includes extra fields in update requests to test the deserialization layer.
- Server-side code review ensuring that object constructors or deserializers only populate fields explicitly allowed for modification via that specific API endpoint.
## Mitigation Strategies
- **Whitelisting:** Only map properties explicitly specified in the request body to the object properties. Never use implicit object binding from the entire payload.
- Hide high-privilege fields from user views and ensure roles are confirmed server-side, not derived only from client-provided data.
## Related Tools/Techniques
- IDOR exploitation leading to privilege escalation.