A critical Insecure Direct Object Reference (IDOR) vulnerability was recently discovered in ExHub, a cloud-based platform for hulia-based development.
This flaw allowed attackers to modify web hosting configurations of any project without proper authorization, posing significant risks to affected systems.
Misconfigurations may cause outages or make services unavailable. Furthermore, attackers may be able to escalate privileges or chain attacks for additional exploitation due to compromised configurations.
Understanding the Vulnerability
ExHub offers cloud hosting, project collaboration, and deployment features. Among its functionalities is the ability for users to configure web hosting settings for their projects. These configurations determine how projects are deployed and accessed.
Ideally, only authorized users should be able to modify these settings. However, due to improper implementation of access controls, unauthorized users could exploit the system by simply knowing a project’s unique identifier.
The vulnerability resided in ExHub’s API for project deployment configuration. Specifically, the API lacked robust authorization checks, enabling any user—regardless of their role or authentication status—to send crafted requests and alter hosting settings.
The researcher, Abhi Sharma who identified this issue was awarded a $1,500 bounty, along with a $200 bonus for the detailed report.
Vulnerability Exploitation
The exploitation process involved minimal technical complexity:
- Obtain the Project ID: The attacker needed access to a valid project ID. This could be obtained through enumeration or other indirect means.
- Craft an Unauthorized API Request: By sending a POST request to the vulnerable endpoint /api/v1/projects/deployment_configuration/
, attackers could modify critical hosting parameters.
Craft a POST request
- Execute the Request: Tools like Burp Suite or Postman were sufficient to execute the attack and observe changes in real-time.
- Verify Changes: The attacker could confirm modifications through ExHub’s user interface.
This vulnerability effectively allowed unauthorized users to perform administrative actions such as changing machine types, ports, and DNS configurations—actions that should have been restricted to high-privilege roles.
Impact of the Vulnerability
The consequences of this IDOR vulnerability were severe where attackers could manipulate deployment configurations, potentially gaining unauthorized access to sensitive resources.
Misconfigurations could lead to downtime or render services inaccessible. Further, exploited configurations might enable attackers to escalate privileges or chain attacks for further exploitation.
The vulnerability was rated as Critical (CVSS score 9.8) but later downgraded to High (8.8) due to assumptions about the difficulty of obtaining project IDs.
To address this vulnerability:
- ExHub introduced strict authorization checks at all API endpoints.
- Project IDs were made less predictable by implementing randomization techniques.
- User roles were restructured to enforce least privilege principles.
This incident underscores several critical lessons for developers and organizations:
- Authorization Checks Are Crucial: Every API endpoint must validate user permissions rigorously.
- Avoid Predictable Identifiers: Using easily guessable IDs increases the risk of exploitation.
- Principle of Least Privilege: Limit user actions based on their roles to minimize potential damage from misconfigurations.
- Comprehensive Testing: Security testing should include backend APIs to uncover hidden vulnerabilities like IDOR.
By enforcing strict access controls and adopting secure-by-design principles, companies can safeguard their platforms from exploitation and build trust with their users.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar