Whenever we switch security awareness training vendors, it seems like an unspoken challenge among our team to be the first one to hack it. With our last vendor, SANS (tisk tisk), it was a security token in cleartext that allowed you to shortcut straight to the test without watching the videos.
DISCLAIMER: I do think Security Awareness Training is a good thing and this exercise was performed out of curiosity in the spirit of fun hacking. I know that statistically many of these programs are ineffective, however, it’s important to start somewhere.
Recently, we switched again. This year we are using KnowBe4 as our new vendor. As I was progressing through the videos, curiosity got the best of me and I had to take a look under the hood to try and short-circuit this process. Below is what the dashboard looks like. As you can see, I was about to start the “Password Handling” section.
Before starting however, I fired up Burp Suite to see what it was doing. After Burp started, I went ahead and clicked on the “Start Course” button. The training started, and I quickly exited the window.
Now, when I go back to my dashboard, my training shows as incomplete.
Bummer! I guess I will have to watch the whole thing and take the test – or maybe not. Let’s take a look in Burp and see what is causing me to have to spend a whole 30 minutes every year watching these videos and taking these tests (sarcasm is heavily implied here as I think that Security Awareness Training is a necessary part of corporate culture these days, even if it is ineffective. Actually, nevermind, this really doesn’t do anything to help anyone’s security. So, let’s continue hacking!).
This HTTP POST looks interesting. First glance at this request and the flag for completion stands out like a sore thumb. Let’s send this to repeater and see what happens when we mess with it.
Updated the value from “incomplete” to “completed”. Let’s press the “Go” button and see what happens.
Well, I got a 200 OK response which is a good thing. Did it do anything?
Hey, it worked! I now passed this course in a record 8 seconds! Better get my certificate
Wait a second, what if I change that enrollment number at the top, in the URL?
Looks like I now have someone else’s training certificate. Lol! I guess I could have just iterated through the numbers and printed off someone else’s completion certificate’s without going through all of the work of hacking it. Oh well, it was fun and good for some lulz!