.png)
3 years ago
157 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello guys👋👋 ,Prajit Here from the BUG XS Team. So, in this write-up I will be sharing the method that how I broke reset password logic to get account takeover without any interaction needed.
So before we start into what steps I performed, I need to first explain what was the basic functionality on this website.
So in this website the password reset functionality flow had 3 steps.
Step-1: Entering email on which you will get verification code
Step-2 : Confirming the verification code that you got in email
Step-3 : Changing the password page if the confirmation code is correct.
So I hope with this, how the basic functionality is working is clear, now let’s discuss how I got account takeover vulnerability by finding a flaw in logic of this functionality.
So as usual for this bug, you would need two accounts for testing purpose so lets name it testattacker@gmail.com (Attacker) and testvictim@gmail.com (Victim)
So in first step ask for confirmation code for reset password for testattacker@gmail.comNow you will get the confirmation code in your email, enter the correct code and validate it (At this point capture this request in Burp Suite)Now in Burp Suite do Right Click > Do Intercept > Response to this requestNow Forward and you will get a response , copy it and save it somewhere else for future use(This is the response when confirmation code is correct).Now you will get the Step-III page, but here we don’t have to change the password of attacker😂, so go back again to Step-I page, and now this time ask a confirmation code for password reset of testvictim@gmail.comThis time victim will get confirmation code in his email, but since we don’t have access to his email account we will enter any random number, eg: 123456 (At this point capture this request in Burp Suite)Now in Burp Suite do Right Click > Do Intercept > Response to this requestNow Forward and you will get a response(This is the response when confirmation code is incorrect)Now replace the previous copied correct response with this response and click on forward.You will see we have validated Step-II with wrong code and correct response and now we are in Step-III.Now simple write a new password save it and then try to login testvictim@gmail.com with new password.You will be able to login hence Account Takeover Successful😈.
Always first understand the functionality and try to find such loop holes and logical flaws in it, especially in forget password functionalities, as it will lead to account takeover. And remember, whenever you are trying to find or report any account takeover functionality, try to reduce as much user interaction possible, this will increase the severity of the bug and will prove very rewarding.
So this is all about this write-up, hope you liked it, do let me know if you have any doubts✌️.
Thanks For Reading😊
Profile Links:
Twitter: https://twitter.com/PrajitSindhkar?s=08
LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/
Instagram: https://instagram.com/prajit_01?utm_medium=copy_link
BUG XS Official Website: https://www.bugxs.co/
Bengali (Bangladesh) · 
English (United States) ·