webfreeeasy

CommNet

Hack The Box

Cut off from each other and besieged by undead propaganda, humanity's survivors rely on CommNet—until the white-hats break in to silence the broadcast and reconnect the enclaves.

$ ls tags/ techniques/
nodejsidorexpressaccess-controlsecure-coding
idor_exploitationbroken_access_control

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

CommNet — Hack The Box

Description

Cut off from each other and besieged by undead propaganda, humanity's survivors rely on CommNet—until the white-hats break in to silence the broadcast and reconnect the enclaves.

Analysis

During a source code audit of the CommNet application, critical vulnerabilities were discovered in the message handling mechanism (routes/messages.js):

  1. IDOR (Insecure Direct Object Reference): The GET /api/messages/:id endpoint allowed any authenticated user to view any message in the database by simply specifying its ID. Access control checks (whether the user is the sender or recipient) were missing.
  2. Broadcast message leakage: The general message list (GET /api/messages/) displayed all broadcast messages (recipient_id IS NULL), allowing access to system or confidential information not intended for everyone.
  3. Unauthorized broadcasting: The POST /api/messages/ endpoint allowed any user to send broadcast messages, as there was no role verification when recipient_id was absent.

Solution

To fix the vulnerabilities, the following changes were made to routes/messages.js:

1. Restricting Access to Message List

Removed the OR m.recipient_id IS NULL condition so users only see messages where they are the sender or recipient.

// Before
WHERE m.sender_id = ? OR m.recipient_id = ? OR m.recipient_id IS NULL

...

$ grep --similar

Similar writeups