Responsible Disclosure Report
Summary
The code demonstrates a method to automate PAN (Permanent Account Number) validation or lookup requests against a public service endpoint, by imitating user behavior and bypassing anti-bot protections. This script programmatically acquires session cookies and CSRF tokens, then iterates through possible PAN numbers to collect sensitive JSON responses.
Technical Description
- Session Initiation and Token Harvesting
A randomized mobile/desktop user-agent is selected to mimic real browser traffic.
A GET request is made to the search form page to retrieve:
CSRF token (_token) from a hidden HTML input field using BeautifulSoup.
Set-Cookie headers containing session cookies (XSRF-TOKEN, ird_session, and load balancer tokens).
Cookies and token values are parsed and stored to be reused in the POST request.
- PAN Search Exploitation
A loop iterates over a large range of numeric values that resemble possible PAN numbers.
For each number:
A POST request is made to a backend endpoint intended for PAN validation/search.
CSRF token and valid session cookies are attached to mimic authenticated browser behavior.
If a valid response (jsondata != 0) is received, it is stored to disk.
- Persistence and Retry Logic
On encountering errors (timeouts, token expiration, etc.), the session and token are refreshed via recursive function call.
This enables long-running scraping without manual intervention.
Potential Risks
Unauthorized Enumeration: This technique allows brute-force enumeration of personal/business PAN data, bypassing intended usage patterns.
Data Privacy Violation: If PAN lookups return personal or identifiable business data, this can lead to breaches of data protection regulations.
Abuse of Public Services: The service is likely intended for individual, manual queries. Automating it could overwhelm the server or lead to DoS conditions.
Weak Session Control: Use of persistent tokens without IP/user-binding or session throttling increases attack surface.
Recommendations
Rate Limiting: Enforce IP-based rate limits or CAPTCHA for high-volume requests.
Token Binding: Bind CSRF/session tokens to IP address and user-agent string to prevent reuse across sessions.
Monitoring & Alerts: Log and alert on abnormal traffic patterns such as sequential PAN searches.
Access Control: Restrict access to sensitive endpoints to authenticated users only, or require OTP/email validation.
Bot Detection: Implement JavaScript-based detection (e.g., reCAPTCHA v3, fingerprinting) to block headless/automated access.
Impact Level
High — If exploited at scale, this vulnerability can leak sensitive data and violate national privacy laws related to citizen or company identifiers.
Title: Unauthorized Access to PAN Lookup Endpoint via CSRF Token Scraping and Session Hijacking
This issue enables systematic harvesting of PAN-associated data via token and session reuse. The organization should act swiftly to harden their endpoints, enforce stricter access controls, and improve bot protection mechanisms. The script was shared solely for responsible vulnerability disclosure and has not been used for any malicious purpose.