BOOK THIS SPACE FOR AD
ARTICLE ADThis is part 3 of P4 bug’s if you haven’t check previous part then check it out. Click Here…
Hi everyone, I am Nikhil aka socalledhacker, I am a security researcher , penetration tester, certified ethical hacker and a web3 noob. In past few months i have discover lots of bugs but in today’s article we are going to discuss about low hanging fruits or P4 vuln’s as they are very easy to find and also present in almost every website. So let’s start with our today’s first vulnerability.
There are various types of tokens that are used by a website such as reset password token, verification token, invite user token etc. if these types of token is not expired after use or you can use these tokens multiple times then it’s a bug.
Criteria — after using verification token account should be directly opened without asking for credentials.
Time for creating POC for this..
Description:- Reset password token is not expired after single use.
Steps to reproduce:-
Open the URL https://site.comGo to Forgot password pageEnter your email id and you will receive a reset linkChange the password multiple times using the same reset linkThe password gets changed every time.Impact:-
The attacker can reuse the reset token of the user and update the password which would lead to an account takeover
In this bug if the domain is running on http in place of https or the domain doesn’t have ssl then it’s a vulnerability.
Criteria — this bug is only accepted on self hosted programs.
POC time..
Description:- The website is not fully protected by an SSL certificate. This could allow an attacker in a Man-in-the-Middle position to obtain usernames and passwords of users visiting the site.
Steps to reproduce:-
Open the domain — http://site.comCopy the URL and open a new tabPaste the URL and add a “S” in the domainIf the url not opens on https then it’s vulnerableImpact:-
If a user were to visit this page from a public or shared network (eg. office, airport, library, etc.) and login into an account, a malicious user on the same network would be able to obtain that user’s username and password by conducting a Man-in-the-Middle attack using Wireshark. This would allow the malicious user complete access to the user’s account.
That’s it for this article I will upload more articles related to web2 bugs covering all p4 to p1 bugs in near future so stay tuned … :)