Bypass Google Captcha+Parameter Pollution Leads to send email to any user on behalf of “Organization” with any desired content
Hi folks, I am Viral Bhatt. This is my first write-up so there might be possibilities of numerous mistakes but yeah it’s okay to make mistakes.. as long as you learn from them.
I only prefer hacker-one for bug bounty, may be because my eyes loves the UI of h1. After spending a lot of time in a public program ( where I didn’t have any proper methodology, I used to blindly select the target and start my work) I was invited in a private program. My friend Vitthal shinde suggested me to do the testing as we do in our daily routine life. A proper pen-testing of each and every URL with fuzzing. I did the same and landed up in top 1 in the hacker-one leader-board next to a few well known hackers :) (Current ranking is 3rd with 296* point)
let’s get back to the write-up.
In the particular application I’ve submitted 16 vulnerabilities where 11 are the XSS(Not the basic one, need to bypass the WAF). So the program had to add this line there.
But yeah who cares. Again I stated the testing and observed the “contact us” page where I was able to send the email to the company.
Steps to Reproduce :-
STEP 1. I navigated to the contact page and filled the details.
STEP 2. First approach here is to bypass the google captcha. As you can see after sending the same request again I’m getting an error “INVALID_CAPTCHA”.
STEP 3. As you can see I’ve removed the “recaptcha” parameter and its value. Observe that without the captcha server giving me “SUCCESS:true” response.
STEP 5. After completing the google captcha bypass I’ve added one more parameter “toEmail” with my email address. And I got the response “SUCCESS:true”.
STEP 6. I opened my email and I received the email on behalf of the “Target_Company”. I was able to do email to any user with “Target_Company” email address.
I’ve submitted the vulnerability to the private program and within a day they’ve patched the vulnerability with good bounty.
I hope you enjoyed reading the article as much as I enjoyed writing it.
Special thanks to Vitthal shinde (Twitter :- 0_1vitthals)