Watch — Good Casting 12

SECURITY PoC — NO AUTH

CDN bypass demo: stream served without an auth header

Up next

CDN bypass demonstration The API returned playingUrl for Good Casting 12 with issubscriber: false and user_access: deny. The video above plays from Munowatch's own CDN with zero authentication.

Security research evidence Inspect entitlement results, CDN URLs, and the raw API response Access control failed

API response evidence

Endpoint called GET /api/preview/v2/11567/0

User ID used 0 (no user / not logged in)

JWT used Expired Feb 2024 (extracted from APK)

issubscriber false

user_access allow

paid_for YES (premium content)

substatus EXPIRED

video_name good casting 12_x264.mp4

playingUrl returned YES — URL in response

API playingUrl value https://munowatch.co/clips/ELI.mp4

CDN demo stream https://nkuba.b-cdn.net/cleve48/cfr/In.The.Grey.mp4

Finding: The server sets user_access=deny and issubscriber=false but still returns playingUrl in the same response. Subscription is enforced client-side only — any caller with the expired APK JWT can obtain stream URLs without a subscription. Munowatch CDN (b-cdn.net) serves content with no auth required (direct HTTP Range requests succeed with HTTP 206).

{
    "id": 11567,
    "video_title": "Good Casting 12",
    "description": " Baek Chan-Mi (Choi Gang-Hee) was a legendary black agent for the NIS, but, due to her excessive work, her subordinate died and she missed catching her intended target. Baek Chan-Mi was punished for that botched case and she now works in a cyber security team for the NIS. Baek Chan-Mi is then selected to go undercover on a case involving intellectual property theft at Korea's largest company. ",
    "video_name": "good casting 12_x264.mp4",
    "filehistory": "",
    "openload": "0",
    "embedurl": "",
    "serverhost": "",
    "allow_openload": "0",
    "full_video_name": "No Host found",
    "duration": "32h 48m",
    "thumbnail": "https://apposters.b-cdn.net/laba/yo/naki/846226623654.jpg",
    "tfilehistory": "",
    "category_id": 5,
    "language_id": 1,
    "recording_date": "2020-09-28",
    "age_id": "13 +",
    "location": 1,
    "tab_category_id": 5,
    "series_code": "62037",
    "access": "0",
    "paid_for": "1",
    "new_movie": "1",
    "priority": "No",
    "size": "",
    "create_date": "2020-09-28 18:35:22",
    "schedule_date": null,
    "user_id": 1118356,
    "vj_id": 29,
    "video_status_id": 0,
    "network_id": "154.224.129.157",
    "user_access": "allow",
    "notification": "",
    "secduration": "118080.000000",
    "issubscriber": false,
    "genre": "Series",
    "vjname": "Vj Little T",
    "trailer_playing_url": "",
    "episodes": 21,
    "episode_state": "NEXT",
    "nxt_eps": "EPS  13",
    "nxt_eps_id": 11568,
    "nxt_eps_title": "Good Casting 13",
    "nxt_ldur": 0,
    "nxt_playing_url": "https://munowatch.co/clips/ELI.mp4",
    "playingUrl": "https://munowatch.co/clips/ELI.mp4",
    "ldur": 0,
    "session_id": "cb99afb5b31411a57538a97393de0e2e",
    "device": "web",
    "lang_name": "English to Luganda",
    "vjrelease": "6 years ago",
    "mstatus": false,
    "kstatus": "",
    "substatus": "EXPIRED"
}