.png)
18 hours ago
8 BOOK THIS SPACE FOR AD
ARTICLE ADWelcome it’s Ahmex000 again Today I will share with you my 15 Bug in My favorite functional and my favorite type of vulnerabilities
بسم الله، والصلاة والسلام على رسول الله الحمد لله الذي عَلَّمَ بالقلم.. عَلَّمَ الإنسانَ ما لم يَعْلَم والصلاةُ والسلامُ على خيرِ مُعَلِّمي الناسِ الخير محمد..
IDOR x4Race condition x3Function Confusing x1Authentcation Bypass x1Session Misconfigration x1Server Side Misconfigration x4First, let’s learn how the site works , this target for network and devices monitoring , also you have three roles and sign - this sign have story - .so this roles is
Org AdminAccount adminRgular Userand (sign) - not role -as normal Org admin have full access , account admin have some important funtction’s but not all , regular user can only view all non-senstive Data , also after creating account you will have orginization and you can create groups in your orginization , so we will start from idor’s to know what ( sign story ) then to another Bug’s
First One : Account Admin Can Delete Org admin From All account groups
after creating account for victim (by default you have org admin role in your orginization) , i was invted another user to victim org and give him account admin role and access to all group’s , I have tried from account admin user to access all data org admin can do ( read , delete , edit , add) but nothing work in all target function’s until start testing manage user’s function , with account admin user I have tried invite user with org admin role - not work - ok try delete org admin ,yes it’s work and i reported it BUT!
I strongly believe that the triager made a mistake while executing the exploit, but I do not know what the problem exactly is, until I tried to re-execute the steps and found this:
I tried to implement the exploit more than once before sending the report, so I was sure of it. I tried to implement it more than 10 or 20 or may 40 times. It worked one time and not the other. During the implementation, I was sometimes record the screen to monitor what was wrong, and I found this damned sign.
i found that when account admin have this sign , i can delete org admin and immplement the attack , so after many scenrios to know Why is this sign present at times and not present at other times? , i found that if account admin have account then invited by victim , the account admin ( attacker ) will have this sign so this sign mean this user have high peremtion’s BUT server side does not differentiate whether this user’s permissions are in this organization or in another organization ( remember this sign )
that mean if create vicitm acocunt then invite attacker with account admin role , attacker can’t implement the attacke , but if created victim acount and create attacker account , then victim invite attacker with account admin role the attacker can execut the attacke , I resubmitted it with this explanation and it was accepted with medium priority.
Another Idor’s is simple and There is nothing more than natural.
Secound One : Orginization Admin In One Group Can Access And Delete Another Account Group’s
as i mentiond that you have orginization and you can create multible groups , so after invite user with org admin role in one group , this user in normal access or view another groups data , BUT! i was tried to delete another groups and i can using my burp repeater , but we need group id how can we access it ! , from vicitm account i was copied target group id and serach for it in attacker requests and i found that all orginization groups leaked in attacker rewponse
Third security vulnerability: privilege escalation lead the attacker to take over the invited organization admin account and bypass email verification.
I submitted this report 5 times and it was rejected, until I contacted the company directly and it was accepted.
As we mentioned, there are 3 different roles, including org admin and account admin. This role allows us to change the users’ email, but both the first and second emails must be approved.
When I invite a user to my group The invtation link arrives for this user. You must open the link and enter some data to accept the invitation
a UID is created for this user user@email.com and is linked to this UID 123456 , The security vulnerability occurs when you change email to another email, the new email will be linked to the same old UID , This means that when you change the email address from user@email.com to attacker@email.com, attacler@email.com will be associated with UID 123456.
So I thought of a race condition to bypass the email verification, by sending an invitation to user@email.com and then getting a request to change the email from user@email.com to another@email.com, and when the invitation from user@email.com is accepted, I send a request to change the email to another@email.com via race condition , so instead of the site checking the first email that I own, it checks the other email another@email.com
Now instead of verfiy user@email.com which is the email I have, I verfiyed another@email.com which is the one I don’t have BUT! what is the impact ?
It bypasses email verification but with little harm and may not be accepted, because the user you will create will have the permissions you give him, in addition to the fact that he will be affiliated with your account and will not take anything experimental or in addition to what you will have from the beginning.
So I thought that the one who is doing the attack is the attacker in the victim’s organization, and the attacker will have account admin privileges (he can change the email of the users) , The attack will be as follows:
In short, we will execute the attack but with an email that the victim trusts and has given him a large roll (larger than the attacker) so the victim will think that the one controlling the account is the person he trusts while the one controlling the account will be the attacker.
I created accounts for the site such as admin@target.com, admin@bugcrowd.com and the report was not accepted until I sent the report directly to the program via gmail
All the previous reports were the good part of the story, now here is the very bad part.
Fourth report: Privilege Escalation Lead (Role viewr/Editor) to grant himself (management permissions) and (Assign management permissions) and escalate his permissions to (organization Admin) role
The org admin can create new roles with the permissions he chooses. There was a permission called create new roles. This permission enables the user to create new roles, but with normal permissions, not important permissions. There is also an assign management permission, which allows the user to create roles with any permission.
The attack was simple and as follows:
create two account’sfrom victim account , open roles sectioncreate new role with create new roles Permissiongive this role to attackerattacker can easly assign any Permission to him self lead to full access to orginizationFifth report: Account admin in all groups still have access to all group’s after Give him the powers of one group.
It’s very simple, the session does not end after changing the user’s permissions, give the victim access to all groups, then change the permissions of this user to one group, the user still has access to all groups
Sixth Report: SSO misconfiguration lead to login Bypass and account take over
This vulnerability can be applied to a wide range of applications as it is simple and relies on a third party, so it may not be taken into account by programmers.
You can configure SSO in your organization, the problem is that the site does not verify the account that is trying to log in, whether it has verified its account in the IDP or not , Okta allows you to create accounts on it without verifying your account, so the attack will be as follows:
create account at target.comopen SSO sectionenable SSOadd you’r okta metadata urlopen new taptry login via SSOadd victim email8. you will redireted to okta login page
9. click on signup
10. try signup with victim email and add any password then click continue
11. you will auto login to vicitm account
Seventh Report: Regular user can prevent the owner and other users from logging into the account permanently
its function confusing in SSO metadata url lead to delete victim account and support can’t restore it completely
When I try https://burp-collab the response is 500, trying https:////burp-collap the response is 200 , in SSO function i tried SSRF with alotof way’s , But I felt bored so I quickly pressed the keyboard angrily
like that, then I found that all reponse is 500 , and the account does not open and I cannot access any information in my account or even modify it , So after a lot of trying to figure out what happened I found the following, that when you send a metadataurl and then put another link, the site doesn’t get rid of the old link but sends it requests as well so sending 10 or 15 corrupt links leads to the function not being able to determine which link to send requests to.
I created a new role and gave this role SSO access and then I gave this role to the attacker, the attacker sent 31 requests using the intruder and now the victim can’t log in and support can’t help him with this and all his data is completely lost, and no user in his organization can log in to their accounts associated with this organization
Report closed duplicate for SSRF p5
Eighth report:Privilege Escalation: Lead (Role Viewer & Editor) Invites Users with Organization Admin Role, Gaining Access to All Org Data and Privileges
this is same impact in report number Four but with another scenrio , lets create new role and make this role can create new roles and view roles , but without Assign management permissions , give this role to attacker
now attacker can’t give himself org admin role , and cant create new roles with high powers in orginization , so first thing I tried before to create a role and then give it to a user and then delete this role to see what would happen but it did not work:( , BUT! I don’t know why I tried again and it actually worked , But why and what happened?
After many attempts to find out what happened and why it worked, I found that the user must have an account originally and that this user must have access to all groups in the organization.
So I solved the steps and actually executed the attack, and I found that when the user becomes without a role, the attacker can give him the highest role in the organization and take over it completely.
But the damn customer said that this is actually what a user can do who can create rolls, I told them that this is not true and asked them to check but, Bugcrowd is Bugcrowd
Ninth Report : Quota Bypass in Target.com Free Plan via Race Condition
when you create account , target give you 3000 unit to use in monitring you’r network , you can split it to your all groups
The tenth and eleventh reports: Remote Code Execution (RCE) Vulnerability via Malicious SSO Login URL Configuration
Remember the SSO above, I could specify the login url and logout url, I tried to add a malicious file in this which would make when users try to login, the file would be automatically downloaded to their devices.
But the trigger told me that this is not PoC enough, how will I run the malicious file on the victim’s device, after searching a lot for ways to open the file automatically, I did not find a direct way, but I thought of something that is more natural for me
The site usually asks you to download and install files, to check certain things, so I created a server that contains a malicious file, and put it in the loginurl. When this user tries to log in, the file is downloaded automatically, and the user finds that he cannot log in except by opening the file, and this is how the site always works.
I found the strangest response I could have expected.
Latest report: idor lead to delete Organization admin private dashboards
it’s very simple idor d’not need any writeup Dublicated Also’? yep
Anothrt One it’s also bypass Quota limit But with another way
When you create an account, as I explained before, you have 3k units to use. You can create tests, and each test will be consumed according to its usage. When you specify, for example, 500 units in a specific group, when you try to create a test in this group, you cannot exceed this limit.
Now when trying to create a test in this group, the consumption of this test should not exceed 300 units, ok ok we can bypass it by Race Condition creating a large number of tests so that now the maximum for this group becomes 300 and I created 20 tests each with a consumption of 300 but here the damage is simple
I should now only have 800 units to use on the rest of the groups and the current set value for this group should also be 2200 units not 300 , But when trying to send the same request again to specify 300 units for this group, the request was accepted! This means that the site does not check the actual number specified for this group, but only checks the value that I gave it from the beginning.
Now I tried to modify the request to send 2700 units to other groups and I found that I can do that and the process was successful
Now that I have determined the number of units for this group I have to wait 8 days to check the actual usage because it is increasing day by day.
OK anothr P3 :)
I hope you benefit from a new way of thinking.
You should wait for the report that you put the most effort into, which is the 1st this year.
Olive :
Success comes from God (this is the most important thing) and then putting in the necessary effort.Try some ideas that might be stupid.Don’t work under pressure (money, success, fame, strong profile). Pressure makes you lose many good ideas.I think I failed to clarify some points. If you need clarification on anything, you can ask me.صلي على النبي وادعي لاخوك بقا
Bengali (Bangladesh) · 
English (United States) ·