Simple Login Brute Force / Current Password Requirement Bypass

These Bugzzz

Hello guys ,

I hope you are doing well .

In this blog post , I’ll be giving you a scenario that you can add up your bug bounty checklist.

While hunting down a private website I came across many IDORs, XSS and CSRFs which were pretty straight forward . There was however one instance that was slight different that I found for the first time .

The application had a username/ email update mechanism . To update either of the entities, it was required to enter the current password to prevent unauthorized changes . Following is the POST request :

Request: (Update Username)
 
 POST /my/update/username HTTP/1.1
 Host: Redact.com
 Connection: close
 Content-Length: 110
 Accept: application/json, text/javascript, */*; q=0.01
 Origin: https://www.redact.com
 X-Requested-With: XMLHttpRequest
 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
 Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 
 csrfmiddlewaretoken=5ODzW8EMxFXNqLjRuxKZOabrvnSEQAhZ&old_username=OldUsername&new_username=NewUser&password=Password 
 
 A Similar request was for Updating email.

Note that the old username was a hidden parameter that was not in the visible form.

On some tampering I found that giving a valid combination of the parameter “old_username” and “password” (Any valid credentials eg. Attacker’s credentials) It was possible to change the username to any username by the attacker without entering the current password .

Thus this bypasses the current password requirement . The back-end system was only checking for valid credentials , irrespective of who is logged in .

In simple words a person having temporary access to your account can update your email and takeover your account without having knowledge of your current password .

And what about the login brute force bypass ?

Easy , Since only the credential pair are being verified at the back-end, irrespective of who is logged into . Pass the victim username or Email in the “old_username” or “old email” field and brute force the “password” field .

On successful bruteforce , you will receive the response that the username/email is updated (That is the attackers email/username is updated). That request has the valid credentials (of the victim) .

ie, You are brute forcing the victim’s account from the attacker’s account .

A low blow , but effective bug .

Thanks for reading :)

Have a good day !!!