Simple Login Brute Force / Current Password Requirement Bypass

Mandeep Jadon
Sep 7, 2018 · 2 min read
These Bugzzz

Hello guys ,

I hope you are doing well .

In this blog post , I’ll be giving you a scenario that you can add up your bug bounty checklist.

While hunting down a private website I came across many IDORs, XSS and CSRFs which were pretty straight forward . There was however one instance that was slight different that I found for the first time .

The application had a username/ email update mechanism . To update either of the entities, it was required to enter the current password to prevent unauthorized changes . Following is the POST request :

Request: (Update Username)

POST /my/update/username HTTP/1.1
Host: Redact.com
Connection: close
Content-Length: 110
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://www.redact.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

csrfmiddlewaretoken=5ODzW8EMxFXNqLjRuxKZOabrvnSEQAhZ&old_username=OldUsername&new_username=NewUser&password=Password

A Similar request was for Updating email.

Note that the old username was a hidden parameter that was not in the visible form.

On some tampering I found that giving a valid combination of the parameter “old_username” and “password” (Any valid credentials eg. Attacker’s credentials) It was possible to change the username to any username by the attacker without entering the current password .

Thus this bypasses the current password requirement . The back-end system was only checking for valid credentials , irrespective of who is logged in .

In simple words a person having temporary access to your account can update your email and takeover your account without having knowledge of your current password .

And what about the login brute force bypass ?

Easy , Since only the credential pair are being verified at the back-end, irrespective of who is logged into . Pass the victim username or Email in the “old_username” or “old email” field and brute force the “password” field .

On successful bruteforce , you will receive the response that the username/email is updated (That is the attackers email/username is updated). That request has the valid credentials (of the victim) .

ie, You are brute forcing the victim’s account from the attacker’s account .

A low blow , but effective bug .

Thanks for reading :)

Have a good day !!!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store