Testing Cookies worth $500

Hello everybody, I am Sankalpa Acharya from Nepal. A few weeks ago I had found IDOR vulnerability on cookies, which worth $500 to me. SO let’s start my journey of the first bounty.

Impact of Vulnerability: Account Takeover

Before straight jumping to the report, I have a tip for those who are struggling to get their first bounty. If you are finding bugs on target available in Hackerone and Bugcrowd leave it and change your target, use google dorks(inurl : / responsible-disclosure/ bounty) to find some bug bounty programs because there is less competition and you as a beginner want that.

Let’s Begin,

I have a bad habit of changing targets continuously after testing some vulnerability without even proper recon. I was searching reports about SSO login vulnerability after reading some reports I found a website below my search list ‘sso.example.io’(can’t disclose the website name) this time I had a strong gut feeling that I might get vulnerability in this target.

I created two accounts there, at first I tested CSRF vulnerability but no luck :(

Then I went to test password reset functionality hopping any OTP code or token might get leaked in Referer header or in Response again no luck :(

Again:

After little sadness on face, I thought to observe the Login flow of the website. With the hope of getting JWT misconfiguration if a website uses a JWT token to identify the user.
kept my Id password intercepted the request and clicked the ‘Login’ button nothing much in the request. Intercepted the response, there was no any JWT token or any other code in the response body :(

What thing is identifying the user to browser. Cookies Right? so started testing the cookies.

So I replaced every cookie header one by one from my another account. There was Set Cookies:example_token=token which is identifying the user. Thought to go more deeper in this header there were some random token separated like this → 1|random_string_and_integer |4 digit code | 4 digit code |random_string_and_integer | here one thing that caught my eye was that 4 digit code because it was repeated in header and there was only one letter different from my second account.

As you can see in token header 4 digits code(47402) is being repeated and my second account code was 47403. So I replaced that 4 digit code with my second account then Boooooooom !!!!!!! My second account was logged in and then again to be sure I replaced that code 47402 to 47401 .Then I was logged in to account of another user from china. Yessssssssssss I did it !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!. Then I reported the vulnerability.

After few days I got response to my report

Hope You Enjoyed it,