Digging into Javascript to find the gem

It’s been a long day since I haven’t written anything, I recently found a vulnerability that is kind of okish but leaks AWS S3 credential information.

While I was testing the application I saw that the application sends requests and receives response data encrypted.

Example of Request and Response

The technology stack structure of this application is:

Backend: Node, Express
Frontend: Angular JS
Database: MongoDB

As this application gets responses in an encrypted manner then to show the information to the users in plain text it must be using decryption in the frontend that’s common sense.

I started looking into the Javascript source from the developer console > Sources

JavaScript Sources

Scrolling a few lines found the getData() and postData() functions which are used to encryptRequest() and decryptRequest() the function to send requests to the server in plain text.

As I found the function name I started looking into these ( I redacted the key they used with <key> ) :

encryptRequest Function

encryptRequest(Y) {
    return {
        data: oe.AES.encrypt(JSON.stringify(Y), "<key>").toString()
    }
}

decryptRequest Function

decryptRequest(Y) {
    var z = oe.AES.decrypt(Y, "<key>");
    var re = JSON.parse(z.toString(oe.enc.Utf8));
    return {
        data: re
    }
}

Why I am doing this right? It is because there is an endpoint where they are sending a request that contains AWS S3 credentials.

Response of AWS S3 Endpoint

As I know the key and how the decrypt function works, I used a package called crypto-js using this package I wrote my own code decode and to read inside the response.

const CryptoJS = require('crypto-js');

function decryptRequest(Y) {
    var z = CryptoJS.AES.decrypt(Y, "<key>");

    var re = JSON.parse(z.toString(CryptoJS.enc.Utf8));

    console.log(re);

    return {
        data: re
    };
}

// Actual encrypted string
const encryptedString = '<response-from-the-request>';
const result = decryptRequest(encryptedString);

console.log(result);

I ran this code using node:

node index.js

It returned the information:

Decoded response

Then I started looking into the AWS S3 ( found that it’s low privilege accounts ) and it’s a really awesome finding. I reported to them.

Thanks for reading.