How I hacked PutPeace

This is the first time I have spotted a vulnerability in an application, and I am excited to talk about it! For those who don’t know, PutPeace is a start up at IITM, which provides (extremely) convenient online printing services. I am a regular user of the great app(awesome work guys). I was able to print documents without enough balance in my account.
If you are wondering if this post is for teaching you guys to print things for free, sorry for you, I believe in being responsible. The vulnerability was reported to the PutPeace team and they have promptly fixed the same. So yeah, if you were wondering, you can’t print things for free after reading this post.

The vulnerability

They violated the rule 1 in security, never “trust the user”.  Trusting the user doesn’t mean that only the user input needs to be checked, but no action should be done directly from client side. The website simply starts printing once the balance is greater than the amount required for printing.
How did I print for free?
Simply by going to JS console and modifying my Wallet balance. The website short circuited the process of checking the balance on the server and directly initiated the print.

 
That’s all? Were you expecting more?  Don’t worry, there is a lot more, this one simply exploits the vulnerability in an easy way. The actual process of finding this was much more complicated, and I will talk about it here.
How it works?
I used a Web proxy debugger, called ZAProxy. It is maintained by the OWASP foundation. OWASP is an online community which works in the field of web application security and develops tools and method. It is the go-to if you want to get started in the field.
Basically, a proxy debugger is a Man-In-the-Middle between you and a website. It acts as a proxy server which forwards and intercepts packages to and from the website. So, you can easily check what requests are going through a page. Want more than this? You can even modify requests from client and responses from the server.
Oh wait, you remember reading about SSL, that nobody can read the packets in between, encryption FTW? Nope, not really. ZAP allows to create a signed certificate for your browser. Once you install it, you can do the same for SSL sites too! The computer can send requests to the proxy server using SSL, and further requests go to the website using SSL between our proxy server and the website.(Sorry for the crappy diagrams :D). No need of this here though, Putpeace doesn’t use SSL connections.

This follows a quick tutorial to use ZAP. Fire up ZAP and check the Preferences->LocalProxy. The default is port 8080 but you can change it. Go to your Proxy settings and use HTTP proxy as localhost and port as 8080. Now open up the sites you are trying to target. The sites will be recorded in the left pane of ZAP. You can see requests and responses of each of the websites on the left pane.

It is essential to note what requests are important for you and what not. Clearly, the 2 important parts for us to target are putpeace.com and iitm.cloudapp.net. Examine the requests a bit and you will know that putpeace.com is simply the frontend server which serves the static content and the APIs are in backend server.
Let’s analyze the requests by printing something, and yeah, I can see a request called get_user triggered when I click the Print button. It returns things like my account balance. Surprisingly, when I click on Print from here, no request is sent to the endpoints server. Means that  following the previous request a print might get initiated from frontend without any checks. Wow, that’s bad(good for us). If we simply modify the response of the request to something greater than the print amount, it would print.
 


How to modify response data? Simple, right click on the request(get_user) and click on Break. This allows us to set a breakpoint whenever the request hits or a response is received. The first image shows the request, and the second one shows the response. I changed the response to a higher number than the print amount, and it worked.

Check out the balance on the site now! Clicked on print and Voila, had my documents printed! However, it calculated what I am due by subtracting from my original balance(smart move, else I would be able to overwrite there DB), that’s why I have a balance of -14 INR.

PutPeace team has quickly patched this bug, great pace PutPeace team! Now there is a server check for printing, and I get a response saying “No more hacks”.
How to prevent such a thing? Simple, never trust what goes on the user side, always think that the user is trying to misuse your website!