Broken Authentication — Bug Bounty

So this is how we found this site and believe me researchers on openbugbounty.org should keep this tip in mind because the site you’re reporting to is just not vulnerable to XSS or CSRF! look for more.

Little Bug Bounty Tip

Vulnerability: Broken Authentication (Poor session management)
Severity: Critical
Owasp rank: (OTG-AUTHN-004)

First, the site is vulnerable to CSRF account takeover and file upload XSS too but we’ve explained the process in our previous write-ups so no need to explain that! In this scenario the sessionID is not expiring even after log out so attacker can manipulate the request and can login into the account with same sessionID without any credentials. Bug also can be exploited with two different browsers.

  • First log in into the account, website will create a session ID for current login.
  • To catch any request configure your browser (Mozilla) with any proxy tool (Burpsuite).
  • Click on any page to intercept the request, Here We’ll intercept edit profile page request and send it to REPEATER.
Request
  • Now log out from the account
  • Now in URL bar put edit profile URL like this (Keep intercept on) https://www.tribeofnoise.com/profile_edit.php/ID=52763 (No parameter IDOR here so look for other bugs)
  • Press enter and in intercept tab replace the current request with the one you kept in repeater (Old session ID) and forward it. Here you logged out from the account so it should give you error like ‘Your session is expired’ or should redirect to login page instead it’ll log you into the account without any authentication. Simple right?
  • Have a look at the video PoC.
PoC

5-Oct-2018 → Bug Reported

26-Oct-2018 → Bug Triaged

29-Oct-2018 → Bug Fixed

Have a happy hunting 😃