IDOR leads to Change the password of all users (ATO).

3 years ago 178
BOOK THIS SPACE FOR AD
ARTICLE AD

After submitting time to check the 2nd Account Password Changed or Not

Just type the 2nd account email id and enter the new password which we updated in the above step.

Yeah, just easy account takeovers…!!!wait wait wait ⬇️ read below imp sections too 😉

===

Reproduction steps:

(1) Create two accounts for testing ACCOUNT1 & ACCOUNT2

(2) Request for reset password for ACCOUNT1

(3) After getting the reset password link we can see the SID parameter is disclosing in the link just change the SID Parameter value to 2nd Account. i.e SID1001 → SID1002

(4) Enter the 2nd ACCOUNT email id and new password then Submit the request ( I created 2nd account for testing purpose to prove that passwords are Actually changed successfully or not)

(5) Yeah..we are successfully able to change the password of another users.

===

Takeaway(s):

(i) Now maybe some of you have a question that how I grab the id’s ?
These ids are numeric so there is no special logic behind it we can brute force it.

(ii) Now we change the password but how we can able to log in its still need valid emails which I am not aware of so for that just simply via user enumeration we can identify the valid emails and login into their account :)

(iii) After spending few hours on the target http://target.com/forgotpswd/SID1001 I can see that this endpoint doesn't have a rate limit so we can brute force that particular parameter to change the password of all the users with the same password😂😂.

===

Thanks for reading.If you have any question you can dm me on Twitter 😊

Read Entire Article