WebklexH1:802636InnoGames: Create any military unit in any age
Summary of the Issue
It’s possible to create a sniperbot unit in the bronze age by sending a crafted request to xs1.forgeofempires.com/game/json endpoint
Steps to reproduce
- Login to https://xs1.forgeofempires.com with Chrome browser while observing network tab.
- Open the poc_20200227.html (F730442)
- We need to fill the required fields:
Gateway url: found under “Network” (in Chrome) and looks like this: https://xs1.forgeofempires.com/game/json?h=SOME_RANDOM_STUFF.
Signature secret: found in a file like this: https://foexs.innogamescdn.com//cache/ForgeHX-SOME_RANDOM_STUFF. Search for “VERSION_SECRET”.
Session ID inspect any request under “Network” (in Chrome) which goes to https://xs1.forgeofempires.com and copy the sid value found in the cookie request header.
- Click on “Sign payload” to generate a signed payload and a curl command.
- Execute the curl command
- You have now a sniperbot unit in your Army (Open your ingame “Army Management” tab).
The request that creates a sniperbot looks like this:
POST /game/json?h=0Pn6pW…6 HTTP/1.1
Host: xs1.forgeofempires.com
User-Agent: curl/7.64.1
signature: 2d…
content-type: application/json
accept: /
Accept-Encoding: gzip, deflate
cookie: sid=le9…
Content-Length: 606
Connection: close
[{“class”:“ServerRequest”,“requestData”:[[5,30,31]],“requestClass”:“CityProductionService”,“requestMethod”:“pickupProduction”,“requestId”:0},{“class”:“ServerRequest”,“requestData”:[31,1],“requestClass”:“CityProductionService”,“requestMethod”:“startProduction”,“requestId”:0},{“class”:“ServerRequest”,“requestData”:[[{“class”:“ArmyUnit”,“unitId”:-1,“ownerId”:0,“currentHitpoints”:0,“entity_id”:0,“slot_id”:0,“unitTypeId”:“sniperbot”,“next_healing_step_size”:705,“is_defending”:true,“fully_healed_at”:0}]],“requestClass”:“ArmyUnitManagementService”,“requestMethod”:“healUnits”,“requestId”:0}]
Impact statement
An attacker can create sniperbots and take advantage in the games