BOOK THIS SPACE FOR AD
ARTICLE ADHello Everyone,
I’m Omar Hamdy (Seaman), Today I am going to explain one of the coolest bugs which I found on Private Program in Bugcrowd
Let’s Start,
I had a private program, let’s call it redacted.com, After a while of reconnaissance the program, I began to examine the my Favorite Function password reset, Usually I look for vulnerabilities like (ATO, Host Header injection).
Simply, When the user wants to reset his password, he enters his email then A password reset link will be sent to his email.
I requested a password reset for my account and the password reset link was :
https://redacted.com/update-password/12d52catcbc344ec-9871-85ac6390d863/1621264272
The password reset link consists of two parts: The user ID and a random 10-digit code.
What I found very interesting here which enables me to takeover any user account is that the 10-digit code is a serial code so that a random value is not generated, but rather a serial value, meaning that if you asked to reset the password for your account and the code was “1618963650”, then you requested a reset The password for the victim’s account will be the code “1618963720”, where the last 3 numbers differed only, allowing us to carry out the brute-force attack and obtain the last 3 numbers where the probability ratio will be from 100 to 999.
The problem now is that the user ID was not Public, I spent more than two days searching for any endpoint that leaked this ID, and I used Google Dorks and got nothing.
Part of the idea of the site is that users can publish articles on the site, and there is a feature to report a specific article to the user, I found that if you report an article to the user, you will find the user’s ID is being leaked in the Request.
Steps To Reproduce :
1- Request a password reset for your account.
2- Request a password reset for the victim’s account.
3- Then change your ID to the victim ID and use the same 10-digit code and only execute a brute force attack on the last 3 digits and the operation will be completed successfully.
4- Execute a brute force attack on this link and specify the last 3 digits of the 10-digit code
https://redacted.com/update-password/12d52catcbc344ec-9871-85ac6390d863/1621264272
That’s All for today , Thanks for Reading :)
Follow me on twitter @seaman00o
Follow me on Facebook: https://www.facebook.com/profile.php?id=100028277354125