BOOK THIS SPACE FOR AD
ARTICLE ADHello Everyone,
I’m Omar Hamdy (Seaman), Today I am going to explain one of the coolest bugs which I found on Private Program in Bugcrowd
Let’s Start,
I had a private program, let’s call it redacted.com, After a while of reconnaissance the program, I began to examine the password reset function, Usually I look for vulnerabilities like (ATO, Host Header injection)
Simply, When the user wants to reset his password, he enters his first & last name and e-mail. A password reset link will be sent to his email.
I requested a password reset for my account and then intercepted the request (via Zap proxy) to examine it closely.
I found the request as this :
And the password reset link is :
https://redacted.com/Reset?token=04294876770750
So far nothing exciting, I used the link, changed my password and Intercepted the Request, Here I found something very interesting.
I found the request as this :
If you look at this request, you will find the token used to reset the password, it is the same existing token that is sent when the user requests to reset his password
From here I had the ability to take over any account I wanted by changing the victim’s password
Steps To Reproduce :
1- Request to reset the password of the victim’s account and block the request with Burpsuite.
2- You will find the token that you will use to reset the victim’s password.
3- Request a password reset for your account, then use the password reset link, change your password and Intercept the request via Burpsuite.
4- You will found the request as this :
5- Replace your token with the victim’s token, and the victim’s password will be successfully changed.