.png)
7 months ago
82 BOOK THIS SPACE FOR AD
ARTICLE AD
Hi everyone,
Back with a little chain.
Let me break it down for you So let’s begin!
- First off, let’s understand the process of password reset on the website.
It’s a usual process: the user enters their email and receives a link like this on their email:
TARGET.COM/redirect?action=reset_password&lang=EN&code=CODEHERE
The key thing to notice is that the website relies entirely on one parameter value, “CODE”.
This parameter value is guessable but takes time.
Now onto the next step: does the token expire?
Something important to know is that while the parameter value is guessable, it takes time.
I left the email unopened for a day and returned to it. Indeed, the token didn’t expire, and I was able to reset the password.
But now, the crucial point is to see if there’s a Rate Limit. This is where we attempt brute force for the token and instantly reset the password.After attempts, Unfortunately, there was a Rate Limit );
So, Here I could Report the Bug as the Token Not Expired, But the Severity will be low.
But I didn’t stop there. I tried to find a technique to bypass the Rate Limit.
After many attempts, I noticed that the website only blocked the IP.
I managed to bypass it by using a Burp extension called “IP ROTATE,” as shown in the picture.
In essence, it connects to AWS servers, and with each request, the IP changes.
As we knew the token didn’t expire, I was able to reset the password, thus leading to an Account Take Over.
In conclusion, I hope my explanation was clear.
And if you found it helpful, don’t forget to Like and share your thoughts
Twitter\X
https://twitter.com/Omarzzu
Thank you for reading!
Bengali (Bangladesh) · 
English (United States) ·