.png)
3 years ago
179 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello all, I’d like to talk about an unauthenticated password reset and Denial of Service finding I found on a bounty program which apparently, according to the vendor “does not have security implications — thus closed and marked as informational”.
Timeline
May 7, 2021 — bug submitted
May 8th, 2021 —Medium write-up completed
May 10, 2021 — Later I found out that they mitigated the issue without giving out rewards — disputed
Enumeration process
Just like most of methodologies, mine start with enumeration. Understanding the company, the type of industry they are in, look for publicly available subdomains, etc. (Using a tool such as Sublist3r can help you with this). After about one hour or so, I was able to find a subdomain which happens to be their staging environment.
Before anything else, by only looking at the current page, I tried several things which yielded no results:
Enumerating directoriesLooking for hard coded credentialsUsing a production test account to loginPassword reset
Navigating to the “reset password” function however, seemed very interesting. The company’s production “reset password” page looks like this:
While the reset password on the staging environment looked like this:
With some OSINT through LinkedIn, I was able to find several people who work at this company. Based on my experience most organizations create usernames with first name initial + last name — which really worked in this case! The following page is what happens after you insert the right AD username.
See, no other mechanisms are in place to reset this person’s password. All you need is some OSINT = Domain access. I did not go further than this because:
I was tampering with how this workflow works and accidentally got the account locked out (Oops) — This is DoS vulnerability !!!I didn’t feel like spending few more hours finding information about the person because I’m not sure what’s going to happen if I do bypass this (maybe alerts will be generated and I get in trouble because this is almost borderline out of scope)
Bengali (Bangladesh) · 
English (United States) ·