.png)
3 years ago
177 BOOK THIS SPACE FOR AD
ARTICLE ADmy name is zahir , Bug bounty Hunter from Sudan
I will share a critical bug that I found in Upchieve program in h1
I like to test reset password functionality , so I made a temp mail with mohmal and a I signed up in upchieve
in reset password request there was a post Json parameter => email
“email":”me@mail.com”
and the response was
“msg”:”password reset email sent”
I tried to make the email parameter value as a Array with 2 mails to manipulate the functionality and send the email link to email1 and email2
{
“email”:[”victimMail”,”attackerMail"]
}
Nice , the msg is “password reset email sent"
I checked my 2nd mail “I didn’t sign up with it in upchieve and I got a reset password mail from upchieve
from : upchieve
To : my victim email , and my attacker email
I checked if the reset link token is the same in both emails and it was :’)
until now it’s a critical bug but I liked to escalate it more
my burp scanner found a email address disclosed belongs to upchieve
I can’t take over it ' as the program policy says but I mentioned it as the attack scenario
triaged with severity critical 9.8
Notice :-
email address is not private information you can get it from linkedin ..etc so this is a zero click ATO
I will share a tip with every writeup
Tip :- in reset password request
use content type converter burp ext2. convert the request to json , if the application accepted it try this trick
3. convert the request to xml and if the application accepted it u can try xxe
Twitter :- @ZahirTariq3
Bengali (Bangladesh) · 
English (United States) ·