![]() ![]() We initially hooked various JavaScript function calls to trace the execution flows and later discovered this issue by fiddling with the HTML DOM. From an application security perspective, it’s a nightmare to find such issues by inspecting and debugging JavaScript code. Hotstar heavily uses ReactJS at frontend and they had controls on accessing premium content only at client side. ![]() The main purpose of frontend is for presentation, but with the advent of JS Frameworks and MVC terminology at frontend, some developers tend to do a lot more things at client side controllers than they should actually do. ![]() The legacy examples are input validation only at client side, client side only captcha validation, hidden fields with sensitive tokens, OTP token exposed to client side etc. The past experience in AppSec has taught us not to put security controls only at frontend or client side. We were able to bypass these access controls and view paid premium content by manipulating the dynamic HTML DOM. The security controls for restricting premium content were implemented at client side as frontend React JS logic. Hotstar is a premium streaming platform like Netflix and Amazon Prime Videos. More by OpSecX Bypassing Hotstar Premium with DOM manipulation and some JavaScript ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |