Since it was a private program, we will call it “redacted.com”. It had only its main domain in-scope so it was going to be a great challenge to find some interesting bugs. I started with initial recon and started to hunt for some hidden directories for some cool stuff but didn’t find one. After spending an hour, I found that the web application allows users to register themselves. I moved on to make one for a better view of the target.
As I made an account, I decided to hunt for some logical bugs. So, I went on to test the “Reset Password” functionality. I logged out of my account and requested a “Password Reset Link” for my account. I received a link to reset my password. The link had two parameters- id and token. The id was numeric and had a length of 8 while the token was alpha-numeric and had a length of 6.
To get a better understanding of the tokens, I made two more accounts on “redacted.com”. I requested password reset links for all the three accounts and changed the password using them. I repeated this thrice to compare the values of the id and token parameters. So, at the time, I had 12 password reset links, 4 for each of my accounts and I wrote down all the values of my id and token parameters.
The value of id was an easy catch as it remained the same for each account. I started to look for the value of id in my account and found it in the source code of my profile. Now here comes the challenging part, that was to find out what the value of token parameter meant. I spent almost 3 hours to understand how the token’s value worked. After spending plenty of time on it, I concluded on the point that the value of the token parameter is completely random. So, what to do now? Bruteforcing? That ain’t gonna work since it was 6 characters long alpha-numeric token which means 26 lowercase alphabets and digits from 0–9, a total of 36 characters and 36⁶=2176782336 combinations! That’s a big number, so no chance of brute-forcing. I left it there only and started to hunt for other bugs. I was like:
After 3 days of continuous hunting, I didn’t find even a single vulnerability. I really lost hope that I was going to get even a single bug there. The scope was extremely limited as well. I was going through the notes I made and as I looked upon the token’s values, it seemed fishy this time. I was literally overjoyed. I decided to give it a last try as I found a way, a way to brute-force it. My reaction:
As I told, the token’s value was 6 characters long but wait a second! The values consisted some specific lowercase alphabets and digits only- a,b,c,d,e,1,5,8 and 0. I don’t know why the value was like it, but yes, it can be brute-forced. Now, I only had to try 9⁶=531441 combinations.
I quickly fired up my Burpsuite’s Intruder and started brute-forcing the value of the token. No Rate Limiting as well! After an hour, I got the correct value of the token and as a result, I was able to takeover any account. I quickly made a PoC Video and sent it to the team. Triaged!
Thanks for reading!