Hello guy’s I am back with another POC again this bug I found in PRIVATE program using on bugcrowd so without wasting the time let get started!
let assume the website private.com I created an account looking for CSRF Account Takeover but the website is secure & there is CSRF token also I try many method to bypass but failed so I started to play with it’s subdomain & I found one of it’s subdomain super.private.com when I try to login I used my main account credential & it worked here so most of developer they secure only main website
I started playing with this website the thing I am afraid of if a change account detail here hope it not redirect me to main site profile page & lucky it not redirect me :D
When I try to change the email & there is also a CSRF token when I saw that I am closing the burp suite but a give a last try & remove the CSRF token and boom it worked! email change Account Takeover
I made report & reported to the team & told them I can takeover main site accounts since the main site is TIER 1 :V & got this replay from the team
Lesson: Never Give UP!