My First Bounty on a Simple Bug

2 years ago 142

BOOK THIS SPACE FOR AD

ARTICLE AD

Hello Folks 👋 , in this write-up I will tell you how I ended up getting a 150$ bounty on a Bugcrowd Program.

My name is Prajit Sindhkar and I am a security researcher from India since a bit more than a year. I am also under Bugcrowd Top 500 Hacker and Bug Bounty Leader of the BUG XS Community. So we have also been teaching newcomers in this field via the BUG XS batches for bug bounty.

So , since I am not much of a writer, I haven’t really written about my findings in medium, but recently I was motivated to do so by many of my students, so I decided , why not start sharing from my first bounty.

I have found many interesting bugs since last one year , and now I will be writing a writeup on each one of them one by one from the start, so be sure to follow to get updates about my upcoming write-ups.😊

The bug name which I found was “Password Reset Link Not Expired After Use”. This comes under the VRT of “Insufficient Security Configurability >Weak Reset Password Implementation > Token Not Invalidated After Use”

Steps To Find This Bug:

Go to https://target.com/ password reset page.Enter your email, and ask for a password reset link.Now go to mail and open that link in two tabs.Reset the password from one tab, reload the other tab , and if it let’s you reset password again then it is vulnerable to token not invalidated after use as we are resetting the password two times with same token.

Impact/Exploit Scenario: If victim’s email account is still logged into his/her Office Computers or any public Internet Café. Then any external attacker can use the used token to reset victims password.

Severity: Now due to this difficult to happen exploit scenario , which requires user interaction it is given as a P4 bug under Bugcrowd VRT.

Now this feature can be also used to sometimes chain it with other vulnerabilities, to get higher severity depending on the functionalities present in the website.