.png)
6 days ago
18 BOOK THIS SPACE FOR AD
ARTICLE AD
How it all started
i was just scrolling youtube for dsa videos and i came across takeuforward youtube channel by striver. They launched a platform. I think at that point of time it was a launched one month ago. and i thought let’s dig into website. may i find something juicy thing !!!
ok let’s find juicy bug
i took mine weapon (burpsuite) and i went to takeuforward.org. At homepage i saw login option. and i thought it’s good point to start and started intercepting requests.
Before reading i just wann to tell it’s my first article. tell me how it was
on login page i saw Forgot Password?. since i have reading many article and figured out that most of the time forgot password is vulnerable. and thought let’s test this functionality.
it was asking for email and i entered mine email and clicked on submit button. since i already made account on platform.
they sent otp on my email.
Here’s juicy thing’s i noticed
here we have to enter otp and new password. if otp is valid then we’re able change password.
and i entered 569656(it’s random otp) and entered random password to observe request.
if you carefully observe cookie on request. it has otp key. which is strange to see. Since i have never seen something like that.
On decoding otp key it was hash string. I took help of chatgpt and got to know that it was bcrypt. Then just googled about bcrypt to gain some info about it. The hashed otp string was cost factor of 12
hashed otp string looked like,
$2a$12$VI1/nmpcWUkeku8p63QIDe2lABr1S39U.f0GO0As.4hHfhU7dlozand i just assumed what if this hashed otp is actual otp that is being sent to email for verification. it’s mean that it verify otp on client-side.
i thought if this is the case i can do something here.
How otp verification was working for this case:
Server send otp on user email and store hashed otp form on cookie then compare with user entered otp. if they both match user able to change password.
After knowing this. I had figured out that how to bypass it.
How did I verified random otp
Since i know the cost factor of hashed otp. i went to bcrypt generator site and generated hash for 569656(it’s random number) with cost factor 12.
and on the request i replaced new hash with old otp hash.
Success
Then i sent modified request to server. and guest what it worked.
I successfully changed my account password without knowing actual otp which means i able to login any user’s Account.
After Finding this vulnerability i started writing report for website handling team.
For video POC i used striver’s account to show impact of vulnerability.
Timeline
16 august 2024 — reported
23 august 2024 — bug fixed
28 august 2024 — got reward
Well guy’s you wanted to know reward for this critical security vulnerability. since i asked them for their DSA Pinnacle subscription which worth 7500/- inr and they provided.
I know i can ask for more. To be very honest i was expecting nothing after reporting vulnerability report. still I’m happy to get reward.
It was my first critical vulnerability that was recognized.
I hope you learned something new here.
Maybe we’ll meet again in another article. Until then, keep discovering juicy things on the internet !!
Thank you for reading.
Raj Ukani,
Linkedin: rajukani100
Twitter : rajukani100
It was educational purpose only, intended to raise awareness about potential vulnerabilities and emphasize the importance of secure coding practices.
Bengali (Bangladesh) · 
English (United States) ·