Hackfes 2025 Participation Notes

Event Overview

• Date: July 19, 2025 (Saturday)
• https://hackfes2025.hacker.or.jp

“Introduction to Web Application (SPA) Vulnerability Assessment” by Hiroshi Tokumaru

10:10 - 11:40

A hands-on session using Burp Suite to perform vulnerability assessments on SPAs (Single Page Applications). The target was a simple SPA server that generates dynamic content using HTML and JavaScript.

CORS (Cross-Origin Resource Sharing) Misconfiguration

Preflight requests (OPTIONS method) to the login API are handled by CORS.

Preflight Request

OPTIONS /api/v1/login HTTP/1.1
Host: api.example.jp
Accept: */*
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Origin: http://spa.example.jp
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Sec-Fetch-Dest: empty
Referer: http://spa.example.jp/
Accept-Encoding: gzip, deflate, br
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Priority: u=1, i
Connection: keep-alive

Response

HTTP/1.1 204 No Content
X-Powered-By: Express
Access-Control-Allow-Origin: http://spa.example.jp
Vary: Origin, Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Headers: content-type
Access-Control-Max-Age: 300
Content-Length: 0
Date: Sat, 19 Jul 2025 01:31:57 GMT

Using Burp Repeater to modify the Origin header to a malicious domain and send the request reveals that access is granted even for origins that should not be allowed:

HTTP/1.1 204 No Content
X-Powered-By: Express
Access-Control-Allow-Origin: http://trap.example.jp
Vary: Origin, Access-Control-Request-Headers
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Headers: content-type
Access-Control-Max-Age: 300
Content-Length: 0
Date: Sat, 19 Jul 2025 01:34:06 GMT

This allows a malicious domain (e.g., trap.example.jp) to manipulate the API.

Insufficient Current Password Verification in Password Change Processing

When re-authentication and password change functionality are implemented as separate APIs, it may be possible to bypass re-authentication and directly call the password change API as long as a valid session exists.

JWT Signature Verification Bypass (alg=none Attack)

JWTs are Base64URL-encoded JSON data and can be easily decoded. You can try decoding and encoding JWTs on sites like:

• https://jwt.io/ja

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6InFrQTZJVVRXVE1LWXRpbTRGSXFOOFFNY2x3ODd1Tm0yMHU5Nk9rcTh0XzAifQ.eyJzdWIiOjY4LCJ1c2VyaWQiOiJzcGEtdGVzdC0wMzEwIiwiZW1haWwiOiJzcGEtdGVzdC0wMzEwQGdtYWlsLmNvbSIsImljb24iOiJkdW1teS1pY29uLnBuZyIsImlzX3N1cGVyIjowLCJpYXQiOjE3NTI4ODg0NTAsImV4cCI6MTc1Mzc1MjQ1MH0.xGjjwXjql18iSQE2RPQG4qUwqh2y19kY0NjRL7OsWOKYurKmKVLdVfarHf7pA_2_ScFxX4QVfT_dj6Np8M7hM7Tz2LBWuz9OmeD2g2RGlhbWOg0GB5UHik7Dtdx4NYNuZSeIc9WbsQ-MGWNieUKuvMWrw34rs_C5E1SDxn-8LDZ7hnmGd907TtxD4SyJN8z50-fWSqimOS93rHah4GONxfK4erPlndh0qjE_6JgvhiVMkb_qFzG6pi83ETh-rmwOwq97gVc-IRimLmHWOzGaf1S9HXtXbeG6OMkREZI7409CoCYPt2JW5Qp-x4Aq3ulF628iyDgEvJsAV2oiidDs9A

Decoded Header

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "qkA6IUTWTMKYtim4FIqN8QMclw87uNm20u96Okq8t_0"
}

Decoded Payload

{
  "sub": 68,
  "userid": "spa-test-0310",
  "email": "spa-test-0310@gmail.com",
  "icon": "dummy-icon.png",
  "is_super": 0,
  "iat": 1752888450,
  "exp": 1753752450
}

The JWT signature portion is binary data that has been Base64URL-encoded, not JSON. Therefore, if signature verification does not function correctly, payload tampering becomes easy.

The attacker changes the alg in the header from RS256 to none and modifies the sub in the payload to a value indicating an administrator (e.g., 1) to generate a fraudulent token.

{
  "typ": "JWT",
  "alg": "none",
  "kid": "qkA6IUTWTMKYtim4FIqN8QMclw87uNm20u96Okq8t_0"
}

{
  "sub": 1,
  "userid": "spa-test-0310",
  "email": "spa-test-0310@gmail.com",
  "icon": "dummy-icon.png",
  "is_super": 0,
  "iat": 1752888450,
  "exp": 1753752450
}

Re-encode:

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIiwia2lkIjoicWtBNklVVFdUTUtZdGltNEZJcU44UU1jbHc4N3VObTIwdTk2T2txOHRfMCJ9.eyJzdWIiOjEsInVzZXJpZCI6InNwYS10ZXN0LTAzMTAiLCJlbWFpbCI6InNwYS10ZXN0LTAzMTBAZ21haWwuY29tIiwiaWNvbiI6ImR1bW15LWljb24ucG5nIiwiaXNfc3VwZXIiOjAsImlhdCI6MTc1Mjg4ODQ1MCwiZXhwIjoxNzUzNzUyNDUwfQ.

Using browser developer tools, replace the Cookie value with the generated fraudulent token.

Depending on the server-side implementation, if the kid check during signature verification is insufficient, the server may accept unsigned tokens with alg tampered to none.

• https://qiita.com/ockeghem/items/cc0b8ab74f46834d055b

Broken Object Level Authorization (BOLA)

As noted in the OWASP API Security Top 10, authorization failures in APIs are a critical issue. By modifying the ID in request parameters or URLs to another user’s ID, an attacker can illegitimately obtain another person’s information.

Broken Object Property Level Authorization

When the API-side authorization check for specific properties in requests is insufficient, an attacker can illegitimately manipulate objects by modifying properties that should not be changeable (e.g., role).

Broken Function Level Authorization (BFLA)

A vulnerability where a regular user can execute administrator-only APIs (e.g., user deletion, configuration changes) due to insufficient permission checks.

XSS

XSS is generally classified into three types: “stored,” “reflected,” and “DOM-based,” though DOM-based XSS can also share characteristics of the other two, and classifications may overlap. In XSS attacks, sanitization processes can be bypassed by exploiting differences in how newline characters and character encodings are interpreted, so care must be taken with output escaping. In modern web applications, the HttpOnly attribute makes it difficult to steal cookies, but the major threat of XSS is that it allows arbitrary API calls from the victim’s browser.

SSRF

Attackers can use a public server as a stepping stone to send requests to servers in internal networks (corporate networks, cloud environments, etc.) that are not directly accessible.

Examples of endpoints commonly targeted by SSRF attacks:

• file:///etc/hosts: Read local files on the server
• http://169.254.169.254/: Access the cloud environment’s metadata service (IMDS) to steal credentials
• http://localhost:NNNN/: Access local services used internally by the application

“Introduction to Bug Bounty: The Road to Becoming a Bug Hunter” by Yuta Morioka

12:40 - 14:10 Photography was prohibited during this session, so I’ll omit detailed hands-on content.

Bug bounty platforms serve as intermediaries between “bug hunters” who discover vulnerabilities and companies that want to implement vulnerability reward programs.

Major Bug Bounty Platforms

• HackerOne (USA)
• Bugcrowd (USA)
• Intigriti (Belgium)

Japanese Bug Bounty Platform

• IssueHunt (Japan)

Program Types

• BBP (Bug Bounty Program): Programs that pay rewards for discovered vulnerabilities.
• VDP (Vulnerability Disclosure Program): Programs that serve as a point of contact for vulnerability reports. Typically no rewards.

Tools commonly used in bug hunting

• https://www.lopseg.com.br/osint
• https://github.com/vavkamil/awesome-bugbounty-tools

“Detecting Vulnerabilities in Source Code Using LLMs” by Ayato Shitomi

16:00-16:45

Static analysis: Code analysis using AST (Abstract Syntax Tree) Dynamic analysis: Parameter fuzzing, etc.

Vulnerability Detection Methods Using LLMs

1. Identify Ajax functions
2. Create call graphs for functions called by Ajax
3. Create a list of callees
4. Taint analysis by LLM and taint analysis by conventional methods
5. Create diagnostic results and PoC (Proof of Concept) code

“Applying Cybersecurity Concepts to the Real World: Addressing Threats from Russia and North Korea” by Yulii Smirnov

16:45 - 17:30

A talk focused on how virtual cyber attacks affect the real world.

International Call Fraud

• Impersonating police stations using phone numbers ending in “0110”
• Using large numbers of mobile phones, SIM boxes, and fake base stations to spoof the caller ID
• Specialized fraud and telecommunications technology are closely linked

Car Theft Device “GameBoy (Code Grabber)”

• Popular in countries like Russia where Japanese used cars are in high demand
• Relays and amplifies smart key signals to unlock vehicles (relay attack)
• Involvement of front companies linked to the FSB (Federal Security Service of Russia) and SVR (Foreign Intelligence Service of Russia) has been noted

Illegal Radio and North Korea

• Glocom (a North Korean front company based in Malaysia)
• Manufactures and sells illegal radio equipment while evading UN sanctions

Russia’s Cyber Attack Strategy

• Uses cyber attacks as part of hybrid warfare
• Digital attacks are merely the entry point; the goal is to affect the real world
• Connections to Russia’s traditional military tactic of “maskirovka” (deception) have been noted

OSINT-Related Organizations

• https://roles.rcast.u-tokyo.ac.jp
• https://deepdive.or.jp
• Organizations conducting threat detection and analysis from open-source information