MySejahtera Not So Sejahtera

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Kopitiam

Bump Topic Add Reply RSS Feed

Outline · [ Standard ] · Linear+

MySejahtera Not So Sejahtera, Full of Exploits

views

kidmad	Oct 18 2021, 02:08 PM Return to original view \| Post #1
Look at all my stars!! Senior Member 4,481 posts Joined: Jul 2005	this api should not even be exposed! it's supposed to be called by a backend module! .. ceo684 and mmusang liked this post
Card PM	Report Top Like Quote Reply

kidmad	Oct 18 2021, 02:23 PM Return to original view \| Post #2
Look at all my stars!! Senior Member 4,481 posts Joined: Jul 2005	QUOTE(Darkripper @ Oct 18 2021, 02:13 PM) Go ahead and try, the URL is legit anyways. Can use Postman or other tools as well, as long as you send that form-data, it works. These mistake are worse than interns lol. They kinda forget to verify the captcha actually. They have Captcha at the page, but backend doesn't verify that token. to send notification they can just use something like big ip f5 to whitelist only allowed IP address could access the endpoints. infact just build the service separate and segregation between internal and external network.
Card PM	Report Top Like Quote Reply

kidmad	Oct 18 2021, 08:19 PM Return to original view \| Post #3
Look at all my stars!! Senior Member 4,481 posts Joined: Jul 2005	QUOTE(Darkripper @ Oct 18 2021, 02:27 PM) They can't do that, as that's the endpoint that client side is calling to trigger it. Eaiest way is just to rate limit + some kind of Captcha. That would reduce the exposure to an acceptable limit. client side to trigger? it don't work that way. the service i work on sents millions of sms daily. we are the one triggering to an end point expose by the provider. mysejahtera would have the list of contact on their end. all they need to do is periodically send the sms via to end point expose by the few operator we have. if it's really trigger by us who has mysejahtera that's stupid
Card PM	Report Top Like Quote Reply

kidmad	Oct 19 2021, 08:47 AM Return to original view \| Post #4
Look at all my stars!! Senior Member 4,481 posts Joined: Jul 2005	QUOTE(Darkripper @ Oct 18 2021, 11:13 PM) you're talking about their backend implementation, which is out-of-reach. Client trigger mysejahtera, which in turn they forward it to provider. It doesn't matter how the backend is implemented if they open their doors wide open. the way u put it there is somethg so wrong in term of the app design. the request should trigger a notification and queue the request somewhere instead of client calling the service immediately. anyway 0 marks to the application design in this case
Card PM	Report Top Like Quote Reply

« Next Oldest · Kopitiam · Next Newest »

Add Reply Options

Change to:

0.0127sec

0.61

6 queries

GZIP Disabled
Time is now: 24th November 2025 - 04:18 PM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.