DEV Community

loading...
Cover image for As a Developer, I did my first Web Penetration Testing

As a Developer, I did my first Web Penetration Testing

fadilxcoder
Web Architect && Mobile App Developer - 🎮 💻 🎧 ☕
・2 min read

Hello Dev peeps,

I was on Facebook, scrolling on my News Feed and I came across an Ads regarding an online music web application that was just released. So I decided to visit the website and explored it. There were some free tracks & some premium tracks.

While exploring, something came across my mind, "Is this site really secured ?". This is where my journey started..

A journey of a thousand miles begins with a single step

I did not know exactly how to proceed but the first step was to examine the website through Google Chrome - DevTools.

So I click on a random premium song to see what is going on in the Network tab in the DevTools.

Music App URL

Music App URL

When clicking on the play icon, I was checking the Network and I found 2 interesting URL,

Network tab in DevTools

Network tab in DevTools
  • get-song-info?hash_id=40f65e3dad2b5d1....
  • get-track.php?id=I6OTPf15O79FuKg&hash=b28ee5...

Eventually I clicked on both URL, The first one redirect me to a JSON formatted webpage where all the data of the particular song were displayed.

JSON data

JSON data

Whereas the second URL show only Access denied

Access denied

Access denied

After spending sometime analyzing the situation, I said let's figure out a way to download one premium song without buying it.

My guess was that the Music App Developer use a call to action that trigger a PHP script via an API, when a user click the play icon and this script was returning a "content-type: audio/mpeg".

In other words, the URL that was showing Access denied web page cannot be called directly by copying & pasting the URL in your web browser. It should be called by an API.

I used API TESTER to simulate the test and as expected..

It did not work !

Bad news ! It did not work !

I noticed that in the Network tab in the DevTools, there were other parameters sent as Request Header.

Request Header

Request Header

After many trials and errors, I was able to simulate it by adding some of those Request Header

API TESTER - simulation

API TESTER - simulation

And 💥, I got the Response.. BUT in an unexpected format 😖

Response Body

Response Body

But it was not a big deal, I clicked on the eye icon on top-right and the premium song open in another tab in my browser and I was able to listen to it freely without having to buy it.

Congratulation

For your info, I got into contact with the Owner of the Online Music Application to report the issue. I don't know if they fixed it yet

Discussion (0)