BOOK THIS SPACE FOR AD
ARTICLE ADToday I will tell you my finding of email verification that I found accidently.
We need to understand that bug 🐞 hunting is not a step by step process all the way. You need to think like this- “If I do this that what will happen”. This hungriness is must for bounty.
One more thing, I bought my IPHONE 11 from bug bounty. Just Joking 😂😂
Come to the topic. Companies are smarter 🧐 now, they don’t want users to create dummy accounts using temporary emails. So they are implementing email verification, which means after creating account we don’t redirected to the account’s dashboard until OTP provided or confirmation link is clicked, which is sent to the email.
But we are here to bypass these type of authentication. Let’s see how?
However, I can’t provide you the POC or real images of the target as it is not fixed yet. So, It was a website that provides cloud services to the users. It has lot of functionalities with lot of vulnerabilities 😂. Apart from this bug, I also got 2FA bypass for which I will write another article.
Steps to reproduce 🤔-
1. Go to signup form [https://dashboard.example.com/signup] enter email/password and click on signup.
2. You will be redirected to another URL [https://dashboard.example.com/signup/pending/random-token], that will show you to verify your email by clicking on a link that is sent to the email.
3. Now simply remove the [/signup/pending/random-token] part from the URL and make it [https://dashboard.example.com/]
4. You will automatically redirected to [https://dashboard.example.com/login] login page.
5. Enter email/password that you used to create the account and haven’t verified yet.
6. Now the site provide a remember me button, just click it and click on login.
7. What you think? verification is bypassed ‘Ya but wait’. You will be redirected to this path again as in step 2 [https://dashboard.example.com/signup/pending/random-token], but believe me this time we bypassed it. Let’s see how?
8. Now repeat the step 3 i.e., remove the [/signup/pending/random-token] path and make the URL- [https://dashboard.example.com/] and you will be redirected to your dashboard.
Why this verification bypass worked 🤯? Because of broken authentication and session management. The remember me functionality doesn’t checks whether the user verified the email or not. However at a moment I thought that I didn’t bypassed because even I clicked on remember me, I got redirected to verification page but as I changed the URL, the website got forced to show the dashboard. I thought it only checked for remember me state. However I don’t know the exact reason 🤓.
Please let me know if you know 💥 what the exact misconfiguration.
Waiting for the company response 💣
Thank You for Reading 💌