The described application won't be named for anonymity reasons. This is not a listing of all the tests I did just one of them to give an idea of the process.

File sharing application

This application was developed by a start-up doing business in web development (^__o__^). They created an application to share files between co-workers working remotely. They wanted to make public this application and wanted to be sure that it was secure to upload on it.

The application was developed under django framework.

On the applications the main services exposed were : register an account, login, modify password upload file, modify your files, share files, download files.

My objective was to discover as many vulnerabilities I could and exploit them in order to get the highest access on the platform (admin account, internal access).

The application presented many vulnerabilities, I will describe here my exploitation path.

I was able to bypass the register service by fuzzing the API segment and find an old register endpoint that enabled me to create an account without any verification on my identity.

Browsing the user panel, I discovered the endpoint to access a file.

This endpoint could be fuzz, since files were indexed with an integer. I found several integer that were matching files. I had the name of the file, the author but couldn't download it.

I began to upload files on the application and create share links on my own files to study the construction of the token used to allow other users to access my file.

I successfully decrypted the algorithm that were generating those links and I was able to create any share link I wanted just with : the id of the file, its name and the author's name.

I could access any files uploaded on the application using this share link creation process.

Other services on the application had vulnerabilities : lack of verification on the file that was uploaded (hopefully the application was made in Python and it couldn't lead to remote code execution), XSS client-side, possibility to delete any account...

I gave advice on how to remediate these vulnerabilities. For example, in the report, I gave details on how to easily build secure tokens for sharing files. The others vulnerabilities could be easily fixed : add identity check before deleting an account, restrictions about file upload, delete old and vulnerable endpoints...