Response based tampering misconfiguration leads to E-mail verification bypass.

3 years ago 190
BOOK THIS SPACE FOR AD
ARTICLE AD

Atharv shejwal

Hello hunters, I am Atharv from India . I am in bug bounty field from last 2 years because of my brother Aditya Shende . I found many vulnerabilities so that I decided to do article on one of my finding. This is my 1st article so if there is any mistake , leave on it focus on test cases. Without wasting any time we will start on article.

As Aditya told me from beginning to check website as normal user, observing all requests and responses in burp , That's how I found a vulnerability . The website have functions to create account , login , add number, Google SSO etc. Capturing request in burp and analysis on that is my favourite thing while hunting so started to dig in more. While doing register process I found they are using graphql queries so that I thought to take a look on RESPONSE. Here is an image of request to understand clearly.

Request

This POST based request shows params with value which we filled in register process.

I did following test cases to abuse functions

Check parameters with keywords like verified, true, success, falseUsing JWT token of other user to see weird responseRemove sensitive parameters like token , email encoded value and Id’s

I tried everything on POST request but no luck so lets jump on RESPONSE. Right click > Do intercept > Response to this request > Intercept off. When I saw response I was like …

The response showing the thing what I want and here it is

There was false in response but I made it true

In the response there is “emailVerified” parameter was containing “false” value but you can see in image I made it “true”. Then I made intercept off.

I found that account logged in successfully without any verification and I am able to do setup remaining account details.

Steps:

1. Go to the sign up page https://wallet.target.com/
2. Fill the sign up form and intercept the request in the Burpsuite
3. Then right click > Do intercept > response to the request > intercept off
4. Here in the response you can see the “emailVerified” parameter contains “false” value
5. Just change “false” value to “true” and forward the request
6. Here you directly login into the account

Reported this bug to program and received good bounty.

All I want to thanks to Aditya Shende for pushing me harder in this field.

Jai hind

Read Entire Article