.png)
3 years ago
286 BOOK THIS SPACE FOR AD
ARTICLE ADWhen Testing on the Login Pages and Signup page I didn’t Find anything impressive here, There was an OAuth miss-config which led to an Open redirect on the login page. I also tested the forgot password functionality and as expected it sends a reset token link on performing the forgot password action so no luck here.
But I didn’t give up here and tried my luck again and looked into the page source of the application to discover anything interesting as the web application was working on AJAX Request(AJAX allows web pages to be updated asynchronously by exchanging data with a web server behind the scenes. This means that it is possible to update parts of a web page, without reloading the whole page.). When the user clicks on forgot password there is no process or reloading on-page, the user just gets a password reset link with a set of unique tokens. An ordinary user will have no idea of what’s happening behind there.
As there was an endpoint in the XMLHttpRequest which be like:
https://company.com/api/REDACTED/resetPasswordToken/
The response looked somewhat like this:
Then I intercepted the Request of Reset password page again:
https://company.com/api/REDACTED/resetPassword<username>
I intercepted the Reset password request again and this time I focused on the response received for the following POST request and the response was something which I was not expecting and I was like Daaaummm !!!!
Pic 4: Reaction after successful exploitThe Response Looks like this:
{
“id”: 11077,
“token”: “4PjLzn7fyLU<Redacted>f1h1P2F”,
“stamp”: 1628796031082,
“username”: “test13337”
}
Due to some misconfiguration on the server-side, the Server leaks the token in response for any user who is requesting it for any valid existing username. But now the question is how we can use this disclosure of tokens to perform an Account Takeover of any user? so it’s pretty easy.
The Reset URL Format looks somewhat like :
https://www.company.com/#/changePassword/<username>/<token>
We are halfway there. Let’s craft a password Reset link here, as the response of the request leaks the “username” and “token” so all we have to do is to replace the values with the above-mentioned URL.
The Final reset token would be
https://www.company.com/#/changePassword/test13337/4PjLzn7fyLU<Redacted>f1h1P2F
Performing the above steps the attacker can successfully takeover any valid user’s account and perform any suspicious activities or can also Divert the payments to his crypto address which was a critical issue.
Pic 6: Scene at Desk of Developer on the same day. 😆I immediately went ahead and reported this vulnerability and The team validated and triaged the issue within 10 minutes of my submission and I was rewarded with a huge $5000 bounty for this finding.
Be creative and think out of the box, easy, isn’t it ;)
Bengali (Bangladesh) · 
English (United States) ·