How I found three Critical Vulnerability in one site.

HIi hackers, good to see you in blog. Today I’m gonna share three critical vulnerability which I found in one site. The first one is XSS, second is OTP bypass and third is account takeover by forgot password.

So let’s get started.

One day I was just free from my study. And decided to look for the vulnerability in random sites. And I came across one matrimony sites also I always tried to look for the new types of vulnerability in matrimony sites. Bcz most of the matrimony sites are too vulnerable which I believe that.

So, moving further, first vulnerability I came across was the XSS. However whenever we see search parameter we always throw XSS payload. So also I’ve done the same.

?username_search=<script>alert(1)</script>

username search parameter was passed so throw the simple payload. But it was sanitized and also I throw another types of payload but it didn’t work ☹. Then I was loosing little bit hope. But again I decided to look for the other parameter.

However by surprise I found the XSS, this XSS was I found in this parameter (profile_details.php?userid=) where I just put simple payload(<script>alert(1)</script>) and it was throwing me error.

So now I was sure by putting payload in the url and sent to the victim. I could takeover the account.

Then I thought instead of taking users account by XSS, I decided to look for the vulnerability which could give me direct access to account without user interaction.

So again my journey begins to look account takeover vulnerability.

That’s where I came across my second vulnerability OTP bypass. However this vulnerability was quite easy to find.

First I went to the forgot password functionality. So I can change another users password which can leads to my goal(Account Take Over). There I enter my phone number. And after that I capture the successful login request. Which I sent to the repeater. And you can see the response below.

In this response it was easy to understand.

So, again I went to the password reset functionality, enter my phone number and enter wrong otp and capture the request.

When I intercept the response of the wrong otp request. So, it was only showing me Invalid pin as you can see in the image, there I paste the previous successful otp response parameter.

As I thought OTP was bypass and I was happy :)

But when I realized that this OTP bypass can’t lead to my account takeover goal. Because to bypass the OTP, atleast I should have the victim phone number. Which I can’t access without premium user :( It makes me feel sad bcz I couldn’t able to takeover any account. Then I turn off my laptop and slept on my bed.

On the very next day with fresh mind again I was focusing on my account takeover goal.

Then from the beginning I started to capture the request. Look for the minor parameter.

By looking at minor parameter I found one parameter which was username ID. And also in forgot password functionality I could change password by just my user ID.

So, I only had one chance to change another user password by it’s username ID which I could easily get by surfing their profile.

So in forgot password functionality when I add my profile ID and then capture the request. It was look something like this. Where in the username my ID was being sent to the server.

Then I decided to put the victim user ID there and in the password it was admin@123 which I already set. And entering the victim ID there and sent the request to the server.

And by surprised I was able to change the victim’s account password. That time I was feeling over the moon bcz I finally achieved my little goal of taking another user account.

So guys that’s it for today. And it’s my first long blog.

So sorry if I made any grammatical error in my writing.

I hope you gained some knowledge from my writeup

SEE YOU GUYS IN THE NEXT BLOG, HAPPY HACKING🙌🙌❤️.