CommNet — Hack The Box

Description

Cut off from each other and besieged by undead propaganda, humanity's survivors rely on CommNet—until the white-hats break in to silence the broadcast and reconnect the enclaves.

Analysis

During a source code audit of the CommNet application, critical vulnerabilities were discovered in the message handling mechanism (routes/messages.js):

1. IDOR (Insecure Direct Object Reference): The GET /api/messages/:id endpoint allowed any authenticated user to view any message in the database by simply specifying its ID. Access control checks (whether the user is the sender or recipient) were missing.
2. Broadcast message leakage: The general message list (GET /api/messages/) displayed all broadcast messages (recipient_id IS NULL), allowing access to system or confidential information not intended for everyone.
3. Unauthorized broadcasting: The POST /api/messages/ endpoint allowed any user to send broadcast messages, as there was no role verification when recipient_id was absent.

Solution

To fix the vulnerabilities, the following changes were made to routes/messages.js:

1. Restricting Access to Message List

Removed the OR m.recipient_id IS NULL condition so users only see messages where they are the sender or recipient.

// Before
WHERE m.sender_id = ? OR m.recipient_id = ? OR m.recipient_id IS NULL

// After
WHERE m.sender_id = ? OR m.recipient_id = ?

2. Fixing IDOR

Added a check to verify the message belongs to the current user when requesting by ID.

// Before
WHERE m.id = ?

// After
WHERE m.id = ? AND (m.sender_id = ? OR m.recipient_id = ?)

3. Restricting Broadcast Permissions

Added user role verification. Only administrators can send messages without specifying a recipient (broadcast).

// Added
const userRole = req.session.role;
if (!recipient_id && userRole !== 'admin') {
    return res.status(403).json({ success: false, error: 'Only admins can send broadcasts' });
}