BOOK THIS SPACE FOR AD
ARTICLE ADFirst of all, this is my first write up about finding or bug when I work as cyber security. and also I try to write this post with English, so I’m apology if my write-up so bad, or hard to understand for people who their native language are English.
Okay, I started work as cyber security in April 2018. before that, I working as a financial and IT staff in one of Bank in Indonesia.
I don’t have any experience before about hacking or pentesting. But, being a hacker is always some interesting things that I and everyone who love IT, surely one of their dreams is being a hacker. :D Luckily, their are a ton resource in Internet how to learn hacking and my daily job in my new company was learning and doing pentesting until now.
Okay, sorry for to many intermezzo.
I found this bug when I testing one of mutual funds application in early 2020. As usual endpoint for take over vulnerability is reset password functionality. let me explain how this reset password mechanism works:
User request to resetting password by entering their registered email.If email was valid, the system will send the OTP (by email) to user for confirming reset password.The user input the OTP and if this valid the change password form show up.After successfully changed the password, the application will directly show the dashboard.At first, in my mind I wanna login with other user email without knowing their password because when we are successfully change the password the dashboard of that user are directly show up. So, I curious what happen when I change the email user provided (loginname parameter) when confirming password change.
this is how the request packet :
My scenario unsuccessful, it validating the email that I used. So I retrying change password and now with http pollution attack (picture 2) by adding second loginname parameter into the request. and this attack was accepted by system. And I successfully logon with victim email.
So, I asked my friend (victim email) to trying login with his username and password he knew but he fail to login. And I asked him to trying login with my password that I used when trying to login with his email. and it works!
So, the system changes the victim’s password instead of changing my password. And I’ll trying to login to my account with my old password it still work.
I reported this vulnerability and now it have been fixed.
My advice:
If the application automatically showing the dashboard or main menu after user successfully change the password. Trying to attack with http pollution because we don’t know which parameter used for validating and which parameter used to load the dashboard. (my opinion) hhe..
Okay that is for now, next I will trying to write up about(maybe):
By passing OTP Protection in mobile banking application when changing PIN functionality.