Account taken over in style !!!
Hey guys.. Hope everyone is safe against COVID-19. Its been long since I posted any article, I will post some which I found in recent days.
I am much interested in hunting business logic bugs. After couple of weeks of hunting haven’t found any. Got fed up and tired !! Desperately wanted to have a break. Started scrolling news feeds in FB. Found a quote “It seems impossible until you get it done” motivated me to try ahead. I decided to go with the Indian site, I am not going mention the site’s name. Sorry !! Let’s take it as Redacted.com. Made some initial recon. As usual I started looking for business logic bug.
Accidentally I found CSRF. I was bit excited and made myself calm. I thought of escalating it. I decided to do CSRF on password change. But unfortunately, application was asking for old password.
After couple of hours, I created one more account and logged inside. Opened the account setting page. Application threw a popup asking me to set new password.
On seeing the popup I logged inside the previous account which I created earlier to check whether the same popup is thrown or not. Surprisingly it was not.
Logic behind here is “For the first time when user creates an account and logins inside, application requests user to set new password. Once password is set application asks for the old password to change existing password”
Question raised straight away, “What if I use the set new password feature to change the password for the existing users through CSRF”. Fired up my burpsuite and intercepted set new password request. Investigated the request and concluded that there is no CSRF prevention. Quickly generated CSRF POC.
Yes you are right. I logged into another account and opened the CSRF link.
Booom..!!! PASSWORD CHANGED SUCCESSFULLY.
Still wanted to confirm. Logged in with the older creds. Threw an error message USERNAME PASSWORD INVALID. Tried the new password. Logged in successfully. Now able to take over anyone’s account.
Lesson Learnt: Never submit a report once you find a vulnerability. Chain it and try escalating the vulnerability which creates an impact to business.
Thank you for spending your time on reading this post :)