CYVOCATE
← Index

Client-Side Trust of Sensitive API Response

Estimated Savings: CYVOCATE’s report helped prevent potential certification fraud & platform abuse exceeding $300,000+ by securing the integrity of user progress and assessments.

Introduction

One of the most common mistakes we encounter is trusting the client-side to enforce business logic.

In this engagement, we identified that the application trusted sensitive API responses for test progression. By modifying the response, we were able to bypass assessment requirements, effectively granting ourselves unauthorized progression and access to gated features.

Discovery Process

Step 1: Intercepting the API Response

During login, the application called:

GET /api/auth/me
{
  "isPythonTestCompleted": false,
  ...
}

This flag directly controlled whether the user had completed the required Python Test.

Step 2: Response Manipulation

Using Burp Suite, we intercepted and modified the response:

"isPythonTestCompleted": true

The application UI immediately reflected the test as completed, unlocking gated learning modules and progression steps.

Step 3: Impact Demonstration

  • Bypassed Python test without actual completion.
  • Gained unauthorized access to restricted features.
  • Compromised the platform’s integrity, credibility, and trust.

Proof of Concept

  • Vulnerability Chain:
    1. Login normally → API returns "isPythonTestCompleted": false.
    2. Intercept API response with Burp Proxy.
    3. Change flag to "true".
    4. Platform now treats user as if the test was completed.
  • Impact: Unauthorized progression and access to gated content.
  • Demonstration: User dashboard displayed as test completed without performing the exam.

Impact & Risks

  • Assessment Fraud: Users can falsely gain certifications.
  • Business Integrity Risk: Devalues training program credibility.
  • Revenue Loss: Invalid certifications could result in financial disputes.
  • Trust Erosion: Undermines platform’s reliability and reputation.

Recommendations

  1. Server-Side Validation
    • All test completion logic should be validated at the backend.
    • Client-side should display state but never determine logic.
  2. Data Integrity Checks
    • Implement cryptographic tokens or signed states for test results.
    • Verify status before unlocking content.
  3. Monitoring & Alerts
    • Detect abnormal progression patterns.
    • Flag suspicious users bypassing tests unnaturally.
← Back to allDiscuss your scenario →