.png)
8 months ago
49 BOOK THIS SPACE FOR AD
ARTICLE AD
Hi There! I’m Hassaan Muhammed, a PT @BugSwagger LLC
fellow psycho security, to a riveting journey through the treacherous terrain of web vulnerabilities. Today’s tale is a spine-tingling saga of wits, whimsy, and a dash of audacity as we uncover the secrets of a 0-click account takeover via the innocuous “Change Email” function. So strap in, hold onto your hats, and let’s dive headfirst into the abyss of digital mischief.
NOTE: I’m not writing this for beginners to explain what is burp and how intruder works so I’ll just hit the details directly.
A little Description:
The flaw resides in the authentication mechanism of the “Change Email” feature. Upon initiating an email change request, the application requires three parameters: User ID, current email, and new email. Notably, the “_csrfToken” in the request is totally useless, let’s start our process to get the required parameters.
- User ID (5 numbers)
- Victim email
- Attacker email
But fear not, dear reader, your hero will spot a chink in the armor.
Exploitation Process:
Despite the absence of an exposed endpoint revealing User IDs or Emails, an exhaustive brute-force approach from 00000 to 99999 successfully dumps all Users IDs with the Email associated with every ID.
Getting The Users Data:
Upon initiating the “Change Email” function, intercept the request to capture essential parameters, Utilizing tools such as Intruder, iterate through potential User IDs to pinpoint the victim’s account.
POST /users/change-email HTTP/1.1Host: app.example.com
Cookie: */*
Origin: https://app.example.com
Content-Type: application/x-www-form-urlencoded
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: document
Referer: https://app.example.com/users
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close
_method=PUT&_csrfToken=your-token&id=00000¤t_email=example@gmail.com&new_email=attacker@gmail.com&email_again=attacker@gmail.com
TakeOVER:
Now we have all the user’s data, but how can i takeover any account?
Using the same request we used to enumerate the IDs and email’s i was able to send a confirmation number to the victim email to change his email to the attacker email, the confirmation number is 6-digits and as before there’s no limit on the confirmation request to the site so brute-force the confirmation number that validate the request was easy.
To simplify what just happened:
1 — Intercept the request to change the email.
2 — Send it to intruder and brute-force the User-ID.
3 — Notice the users IDs and email’s leaked on Render.
4 — Use the same request to change the victim email, and the server will send a confirmation “6-Digits” to the victim email.
5 — Send the request that validate the confirmation code to intruder and brute-force the “6-Digits” number.
6 — Account Take-Over.
Until next time, keep your wits sharp, your code cleaner than a freshly scrubbed whistle, and may your adventures in psychosecurity be as thrilling as they are enlightening. Farewell, fellow adventurers, until we meet again in the ever-expanding realm of digital possibility!
This finding was while engagement with a client on my work with BugSwagger LLC.
Bengali (Bangladesh) · 
English (United States) ·