- A config file that demonstrates the vulnerability of user accounts on originality.ai
- Originality.ai is a software tool that provides highly accurate AI Detection and Plagiarism checks for text.
- However, due to the lack of a csrf-token and very high rate-limit values, there is a great chance of DDos attacks.
- This config explores the vulnerability that can be exploited for this attack. \n
- While originalityAI's login site has mentioned a recaptcha, the POST Login request payload shows captcha as null.
-
The config captuers the access_token for the successive login response. After which, it is used to check if the account has a subscription or not. If yes, then we can capture the API key through the developer's tab, within the network section.
-
This is demonstrated in the code written in the config.
-
The config can be used on automated pentesting software like SilverBullet for performing bruteforce checks on wordlists. However, this issue can be mitigated by enabling Google's V3 Recaptcha along with strict rate limits.