Simple Login Brute Force / Current Password Requirement Bypass
Hello guys ,
I hope you are doing well .
In this blog post , I’ll be giving you a scenario that you can add up your bug bounty checklist.
While hunting down a private website I came across many IDORs, XSS and CSRFs which were pretty straight forward . There was however one instance that was slight different that I found for the first time .
The application had a username/ email update mechanism . To update either of the entities, it was required to enter the current password to prevent unauthorized changes . Following is the POST request :
Request: (Update Username)
POST /my/update/username HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
A Similar request was for Updating email.
Note that the old username was a hidden parameter that was not in the visible form.
On some tampering I found that giving a valid combination of the parameter “old_username” and “password” (Any valid credentials eg. Attacker’s credentials) It was possible to change the username to any username by the attacker without entering the current password .
Thus this bypasses the current password requirement . The back-end system was only checking for valid credentials , irrespective of who is logged in .
In simple words a person having temporary access to your account can update your email and takeover your account without having knowledge of your current password .
And what about the login brute force bypass ?
Easy , Since only the credential pair are being verified at the back-end, irrespective of who is logged into . Pass the victim username or Email in the “old_username” or “old email” field and brute force the “password” field .
On successful bruteforce , you will receive the response that the username/email is updated (That is the attackers email/username is updated). That request has the valid credentials (of the victim) .
ie, You are brute forcing the victim’s account from the attacker’s account .
A low blow , but effective bug .
Thanks for reading :)
Have a good day !!!