Account takeover via Password reset

👣

I was looking at the authentication functionality of a subdomain i will call it as mdu.example.com

mdu.example.com is consisted of a login page for mdu users. Initial reasearch revealed that i can enumerate user name from the login function.

Infected link:

mdu.example.com/FogotPassword.jsp

It was a form containing username and email address

Sending the post request to the burp intruder and fuzz the username parameter will reveal username

We can sort it by the error message

Invalid username

The request will look like this

username=$test$email=null

I just fuzzed 1 to 100 with numerical value and found 2 accounts with username 17 and 88.

attacker with only username of the victim can take over accounts of mdu users by exploiting email funtion.

An account takeover vulnerability exists in the password reset functionality of mdu.example.com. By exploiting a misconfiguration in the email functionality, an attacker who possesses only the username of the victim can take over their account. This vulnerability allows the attacker to gain unauthorized access to the victim’s account and potentially perform malicious actions.

To exploit this vulnerability, the attacker utilizes the password reset link sent to the victim's email address. Due to the misconfigured email functionality, the link can be manipulated or intercepted by the attacker, allowing them to reset the victim's password and gain control of their account.

It is crucial for the administrators of mdu.example.com to address this vulnerability promptly by ensuring the proper configuration of the email functionality and implementing additional security measures to prevent unauthorized account takeovers.

Go to https://mdu.example.com/PasswordReset.jspthe numerical value 17 and 88 have a account in mdu.example.com i had find it out by username enumeration in same endpoint.type 88 on username field and in the email field type your own emailclick submityou can see a mail in your inbox after that and that is password reset link for mdu.example.com accountyou can reset the password of the victim and manipulate his dataScreeny

Attacker with username can hijack and own the account of users if that user had admin privilages it will cause more harm to the institution itself. The website is also allowing username ennumeration which allows attaker to find the usernames of the users of mdu.example.com

Follow me on Instagram

https://www.instagram.com/rahulkrishnan_r_panicker