I guys, today i’m gonna share with you one of my intresting finding, which is Account Takeover by chaining 3 vulnerabilities . 1) Preaccount 2) Response manipulation 3) Login token leaked in response .
Lets’ start
Program Xsolla.com
So, last month (may 2022 ). I got a target from one of my friend circle . Which is Xsolla.com . So, first of all i gathered all subdomains . And i choosed https://clubs.xsolla.com subdomain. And i got a login and sign up page there . Then I tried there Pre account takeover ( Account Squatting) , Because there is both way to login ( oauth and normal login ) . So, i sign-upped there and in the response of sign-up request , i got a JWT token leakaged , Which is used for Login also . After sign-upped there, i directly login into account, and update name and lastname . There was not any kind of email verification . And then i logged out from there and now i tried to login with oauth. And i was lucky i found (Account squatting ) vulnerability. But when i tried to login with credentials , site shows (email and password wrong) . Then i thought , why not we try here that leaked Token and and response manipulation . So, i just put email and password, and then captured the request in burpsuite. And go to response to this request and forward the request , and in reponse, changed 400 to 200 OK , and submitted the leaked token in response and click on forward . And BOOM, I logged in successfully . And i was like
Linkedin : https://www.linkedin.com/in/hemant-k-714564199/
instagram: https://www.instagram.com/cyber__hawk/
Youtube: https://www.youtube.com/channel/UCKNK64OMhj8y1YByqRPalUw
Submit report : 12 may 2022
Triage : 16 may 2022
Bounty: 22 may 2022
After this, i reported 10 More Vulnerabilities . 8 was Duplicate. 1 Accepted .1 Informative
