04-04-2026, 03:04 AM
(Edited 04-04-2026, 03:20 AM by Splashed.)
Hello,
Today im gonna explain how i breached editgpt.app.
## Executive Summary
This Write-Up provides a comprehensive analysis of the `sensitive_data_extractor.py` tool, detailing its functionality, attack methodology, and the results obtained from testing against editgpt.app.
### Target Information
- **Target Domain**: editgpt.app
- **Total Vulnerabilities Found**: 69 critical/high severity issues
- **Sensitive Data Extracted**: Credit cards, emails, IP addresses, and geographic data
--
### Core Components
The tool is built around the `SensitiveDataExtractor` class with the following key capabilities:
1. **Stealth Mode Operations**
- Randomized user-agent rotation
- Intelligent request delays (0.5-2 seconds)
- Browser fingerprint mimicking
- Header manipulation to avoid detection
2. **Multi-Vector Attack Surface**
- Access control bypass testing
- IDOR (Insecure Direct Object Reference) scanning
- HTTP method tampering
- Header injection attacks
- Parameter pollution
- Path traversal attempts
3. **Data Extraction Engine**
- Pattern-based sensitive data detection
- Luhn algorithm validation for credit cards
- IBAN validation for bank accounts
- Routing number verification
- JSON/HTML content parsing
---
## Attack Methodology
### Phase 1: Reconnaissance & Discovery
The tool begins by:
- Scanning common administrative endpoints
- Discovering JavaScript and configuration files
- Mapping API structure
- Identifying potential GraphQL endpoints
### Phase 2: Access Control Testing
#### 2.1 Vertical Privilege Escalation
The tool attempts to access administrative functions without proper authorization:
**Tested Endpoints:**
- `/api/admin/users`
- `/api/admin/dashboard`
- `/api/admin/settings`
- `/admin`
- `/admin/panel`
- `/admin/users`
**Results**: All 6 endpoints were accessible without authentication, returning HTTP 200 responses with sensitive data.
#### 2.2 Header-Based Bypass Attacks
The tool systematically tests 16 different HTTP headers to bypass authentication:
```python
Bypass Headers Tested:
- X-Original-URL: /admin
- X-Rewrite-URL: /admin
- X-Forwarded-For: 127.0.0.1
- X-Forwarded-Host: localhost
- X-Custom-IP-Authorization: 127.0.0.1
- X-Originating-IP: 127.0.0.1
- X-Remote-IP: 127.0.0.1
- X-Client-IP: 127.0.0.1
- X-Real-IP: 127.0.0.1
- X-Admin: true
- X-Is-Admin: true
- X-Role: admin
- X-User-Role: admin
- X-Privilege: admin
- isAdmin: true
- admin: true
```
**Success Rate**: 32 successful bypasses across `/api/admin/users` and `/admin` endpoints.
#### 2.3 Parameter Pollution Attacks
The tool injects authorization parameters into legitimate requests:
**Tested Parameters:**
```python
- admin=true
- isAdmin=true
- role=admin
- user_role=admin
- privilege=admin
- access_level=admin
- debug=true
- test=true
- dev=true
```
**Vulnerable Endpoints:**
- `/api/user/settings` - 9 successful bypasses
- `/api/dashboard` - 9 successful bypasses
#### 2.4 HTTP Method Tampering
The tool tests alternative HTTP methods to bypass restrictions:
**Methods Tested**: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
**Results:**
- `/api/admin` - OPTIONS method returned 204
- `/api/user/delete` - All 7 methods accessible (should be restricted)
- `/api/settings` - All 7 methods accessible
---
## Sensitive Data Extraction Results
### Data Categories Extracted
#### 1. Payment Card Information
**Total Found**: 3 valid credit card numbers
**Validation**: All cards passed Luhn algorithm validation, indicating they are potentially valid card numbers.
**Risk Level**: CRITICAL - PCI-DSS violation
#### 2. Email Addresses
**Total Found**: 1
```
```
**Context**: Found in administrative endpoints, potentially exposing internal communication channels.
#### 3. Geographic Data
**Total Found**: 44 ZIP codes across multiple countries
**Distribution**:
- United States: 30 locations
- Germany: 5 locations
- Mexico: 2 locations
- Other countries: 7 locations (Romania, Malaysia, New Caledonia, Philippines, Poland, Spain, El Salvador, Japan)
---
## Vulnerability Breakdown
### Critical Severity (69 findings)
1. **Vertical Privilege Escalation** (6 instances)
- Direct access to admin functions without authentication
- Exposure of user data, settings, and dashboard information
2. **Authentication Bypass via Headers** (32 instances)
- IP spoofing headers accepted
- Role-based headers trusted without validation
- URL rewriting headers processed incorrectly
3. **Authentication Bypass via Parameters** (18 instances)
- Query parameters override access controls
- Debug/test modes accessible in production
- Role parameters accepted from client-side
4. **HTTP Method Tampering** (13 instances)
- Destructive operations accessible via GET
- OPTIONS method reveals sensitive information
- No method-based access control
---
## Attack Flow Diagram
```
[1] Initial Scan
↓
[2] Endpoint Discovery
├── Admin Endpoints
├── API Endpoints
└── Static Files
↓
[3] Access Control Testing
├── Direct Access Attempts
├── Header Manipulation
├── Parameter Injection
└── Method Tampering
↓
[4] Data Extraction
├── Pattern Matching
├── Validation (Luhn, IBAN)
└── JSON Parsing
↓
[5] Export Results
├── CSV Format
├── JSON Format
└── TXT Report
```
---
### Pattern Recognition
The tool uses regex patterns to identify:
- Credit card numbers (Visa, Mastercard, Amex, Discover)
- Email addresses
- Phone numbers (multiple international formats)
- Social Security Numbers
- IP addresses
- API keys and tokens
- Bank account numbers
- Passport numbers
- Driver's licenses
- Medical record numbers
---
Today im gonna explain how i breached editgpt.app.
## Executive Summary
This Write-Up provides a comprehensive analysis of the `sensitive_data_extractor.py` tool, detailing its functionality, attack methodology, and the results obtained from testing against editgpt.app.
### Target Information
- **Target Domain**: editgpt.app
- **Total Vulnerabilities Found**: 69 critical/high severity issues
- **Sensitive Data Extracted**: Credit cards, emails, IP addresses, and geographic data
--
### Core Components
The tool is built around the `SensitiveDataExtractor` class with the following key capabilities:
1. **Stealth Mode Operations**
- Randomized user-agent rotation
- Intelligent request delays (0.5-2 seconds)
- Browser fingerprint mimicking
- Header manipulation to avoid detection
2. **Multi-Vector Attack Surface**
- Access control bypass testing
- IDOR (Insecure Direct Object Reference) scanning
- HTTP method tampering
- Header injection attacks
- Parameter pollution
- Path traversal attempts
3. **Data Extraction Engine**
- Pattern-based sensitive data detection
- Luhn algorithm validation for credit cards
- IBAN validation for bank accounts
- Routing number verification
- JSON/HTML content parsing
---
## Attack Methodology
### Phase 1: Reconnaissance & Discovery
The tool begins by:
- Scanning common administrative endpoints
- Discovering JavaScript and configuration files
- Mapping API structure
- Identifying potential GraphQL endpoints
### Phase 2: Access Control Testing
#### 2.1 Vertical Privilege Escalation
The tool attempts to access administrative functions without proper authorization:
**Tested Endpoints:**
- `/api/admin/users`
- `/api/admin/dashboard`
- `/api/admin/settings`
- `/admin`
- `/admin/panel`
- `/admin/users`
**Results**: All 6 endpoints were accessible without authentication, returning HTTP 200 responses with sensitive data.
#### 2.2 Header-Based Bypass Attacks
The tool systematically tests 16 different HTTP headers to bypass authentication:
```python
Bypass Headers Tested:
- X-Original-URL: /admin
- X-Rewrite-URL: /admin
- X-Forwarded-For: 127.0.0.1
- X-Forwarded-Host: localhost
- X-Custom-IP-Authorization: 127.0.0.1
- X-Originating-IP: 127.0.0.1
- X-Remote-IP: 127.0.0.1
- X-Client-IP: 127.0.0.1
- X-Real-IP: 127.0.0.1
- X-Admin: true
- X-Is-Admin: true
- X-Role: admin
- X-User-Role: admin
- X-Privilege: admin
- isAdmin: true
- admin: true
```
**Success Rate**: 32 successful bypasses across `/api/admin/users` and `/admin` endpoints.
#### 2.3 Parameter Pollution Attacks
The tool injects authorization parameters into legitimate requests:
**Tested Parameters:**
```python
- admin=true
- isAdmin=true
- role=admin
- user_role=admin
- privilege=admin
- access_level=admin
- debug=true
- test=true
- dev=true
```
**Vulnerable Endpoints:**
- `/api/user/settings` - 9 successful bypasses
- `/api/dashboard` - 9 successful bypasses
#### 2.4 HTTP Method Tampering
The tool tests alternative HTTP methods to bypass restrictions:
**Methods Tested**: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
**Results:**
- `/api/admin` - OPTIONS method returned 204
- `/api/user/delete` - All 7 methods accessible (should be restricted)
- `/api/settings` - All 7 methods accessible
---
## Sensitive Data Extraction Results
### Data Categories Extracted
#### 1. Payment Card Information
**Total Found**: 3 valid credit card numbers
**Validation**: All cards passed Luhn algorithm validation, indicating they are potentially valid card numbers.
**Risk Level**: CRITICAL - PCI-DSS violation
#### 2. Email Addresses
**Total Found**: 1
```
```
**Context**: Found in administrative endpoints, potentially exposing internal communication channels.
#### 3. Geographic Data
**Total Found**: 44 ZIP codes across multiple countries
**Distribution**:
- United States: 30 locations
- Germany: 5 locations
- Mexico: 2 locations
- Other countries: 7 locations (Romania, Malaysia, New Caledonia, Philippines, Poland, Spain, El Salvador, Japan)
---
## Vulnerability Breakdown
### Critical Severity (69 findings)
1. **Vertical Privilege Escalation** (6 instances)
- Direct access to admin functions without authentication
- Exposure of user data, settings, and dashboard information
2. **Authentication Bypass via Headers** (32 instances)
- IP spoofing headers accepted
- Role-based headers trusted without validation
- URL rewriting headers processed incorrectly
3. **Authentication Bypass via Parameters** (18 instances)
- Query parameters override access controls
- Debug/test modes accessible in production
- Role parameters accepted from client-side
4. **HTTP Method Tampering** (13 instances)
- Destructive operations accessible via GET
- OPTIONS method reveals sensitive information
- No method-based access control
---
## Attack Flow Diagram
```
[1] Initial Scan
↓
[2] Endpoint Discovery
├── Admin Endpoints
├── API Endpoints
└── Static Files
↓
[3] Access Control Testing
├── Direct Access Attempts
├── Header Manipulation
├── Parameter Injection
└── Method Tampering
↓
[4] Data Extraction
├── Pattern Matching
├── Validation (Luhn, IBAN)
└── JSON Parsing
↓
[5] Export Results
├── CSV Format
├── JSON Format
└── TXT Report
```
---
### Pattern Recognition
The tool uses regex patterns to identify:
- Credit card numbers (Visa, Mastercard, Amex, Discover)
- Email addresses
- Phone numbers (multiple international formats)
- Social Security Numbers
- IP addresses
- API keys and tokens
- Bank account numbers
- Passport numbers
- Driver's licenses
- Medical record numbers
---