User Account Takeover [Password Change]— Nice Catch!

Image Credits: Record Future

Ever thought how you are implementing and passing data from the form to your queries? You are doing it dynamically?

Summary: In this writeup, I will explain how I was able to change the user account password without providing the old password. This writeup will be short. I will not take much time.

About Target: Target was From a private program. So, let’s assume the target is site.com

Reproduction steps:

  1. Login into your site.com account.
  2. Navigate to https://www.site.com/users/[user_id]/edit
  3. Now, you will see a form which allows you to edit your account details and there is also another option to change your current password which requires your old password but this can be bypassed easily.
  4. Now, for bypassing this change password feature. Just edit your account details and then submit this request and meanwhile intercept it.
  5. Now you will notice some $_POST fields which will be like

user[first_name] // For changing first name
user[last_name] // For changing last name

This post request is making an array of the user which is having some key values (first_name,last_name). That means it is making a dynamic SQL query at the backend.

For changing the password just add a new key here user[password] and pass your value.

Check this Request

Notice I added user[password]

Bingo! password changed!

Having any question? Comment below or you can send message me on facebook.com/rohitcoder

Thanks,

@rohitcoder