117 Followers
·
Follow

How I found the most critical bug in live bug bounty event?

Hey Folks! Hope you guys are doing great.

Recently I attended Bounty-Bash (live bug bounty event of 2 days) held in Kathmandu, Nepal.

I went to the event and met so many bug-bounty hunters there and most of them were famous ones, so I was not expecting much out of myself 😐 but I did not lose hope and then the event started, all were provided with 3 web application targets.

And the thing noteworthy was that all were single scope targets, with no subdomains at all and all were testing environments not the main applications.

So I started hunting for XSS,SQL Injection and few other OWASP top 10 vulnerabilities, but I did not find anything interesting over there. Hence, I decided to test the password reset functionality of the web-application provided i.e “Having trouble signing in?”. I just clicked on it and it redirected me to Reset Password page.

I entered my username and clicked on proceed.

Image for post
Image for post

After Proceeding I faced few security questions to answer and was not having any idea about the same :/ as the event manager provided us the username and password hence the create account functionality was disabled.

So I entered something randomly and captured the request of “OK” in my interceptor tool, now I have to see what response it is showing of my request so I intercepted the response as well and it was showing :

HTTP/1.1 401 Unauthorized

(“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)

I just played with the response and manipulated to :

HTTP/1.1 200 OK

(“message”:”success”,”statusCode:200,”errorDescription”:”Success”)

For better clarification, you can see the screenshot given below:

Image for post
Image for post
Successfully manipulated the response and forwarded :)

Now I went back to my browser and saw that I had successfully bypassed it.

Image for post
Image for post
successfully bypassed it, now asking for password delivery type.

I have selected SMS and Email Functionality and again intercepted the request while clicking on proceed.

and I saw the request yeahhh!! and surprisingly I got the request with new password and confirm password, I entered “hacker” in both the fields.

Image for post
Image for post
I just entered “hacker” in new password and confirm password fields.

as usual,forward the request and went back to browser.

Image for post
Image for post
Yippie…password has been changed successfully.

Yeahh!! :D Finally the password has been changed :)

So this vulnerability leads to full account takeover of any user without knowing the security answers.

As I was busy in hunting more vulnerabilities so my report was late and it was declared duplicate bug, so one lucky guy got away with it before me and won the most critical bug award.

But the company awarded me with the bounty :) as the bug was critical.

If you enjoyed it please do clap ! Keep Hunting !!

Follow Me on :

Twitter : https://twitter.com/inn0c3ntd3v1l

Linkedin : https://in.linkedin.com/in/lakshay-oswp-44102a143

Written by

Security Researcher | Bug Bounty Hunter | OSCP | OSWP |Founder — Cyber Phoenix Conclave |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store