Hope you are earning a lot through bug bounty, Now, a day’s I feel bug bounty is all about bypassing the remediation implemented. Thought to share one of my recent findings, As it’s a private program, let’s call it as some Xyz.com 

Most of them might have gone through this scenario, while we update the password or update the security question and answer, there the server asks to confirm the user’s identity by asking him to re-enter his password to save or update the changes.

Here I was able to bypass the confirm password,

In this scenario what most of them would try,

1. Check whether the password is properly validated?
2. Try removing the old password parameter through burp suite
3. Try providing different user’s password.
4. Response manipulation.
5. SQL injection.

In my case, any of the above were not working,

As, I knew that application had CSRF tokens, that were easily bypassed by removing the token. But as the confirm current Password was implemented the CSRF also could not help there.

Then, I created a new account and after logging in then I was asked to create a security question and answer, I captured CSRF for that request and the CSRF was something like this,

CSRF

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://xyz.com/myprofile/editLogin" method="POST">
<input type="hidden" name="question" value="PET" />
<input type="hidden" name="answer" value="test1234" />
<input type="hidden" name="answer2" value="test1234" />
<input type="hidden" name="saveSubmit" value="Save&#32;and&#32;Continue" />
<input type="hidden" name="origin" value="loginAccount" />
<input type="hidden" name="requestor" value="accountSummary" />
<input type="hidden" name="loginPage" value="false" />
<input type="hidden" name="securityQAPage" value="true" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

The CSRF request was different for updating the security Q &A and for creating the security Q&A. So as for the 1st time the user is creating the security question and password, So here no need to provide the current password to make changes, Then why not use this CSRF to update the security question, When I tried to update the security question and answer of the other user, it worked, Thus I was successful in bypassing the current password option.

I was able to change anyone’s, security question,

Through this vulnerability, I was able to do a full account takeover, As on the forgot password page there was an option to reset the password by answering the security question.

Thus it was full account takeover.

This was a short blog as my server-side vulnerabilities blog would take some time.

Hope you like it!

So here I would like to share how I got 1000$ with just 10 minutes of bug hunting,

here you will get to know the importance of client-side vulnerabilities,

So here’s how it went on, earlier during my engineering 4th year, I had too much free time. This was the time I learnt a lot about this field, That time my daily schedule was like,

Eat-> Sleep -> Bug Hunting -> Repeat

A few months back, I thought to let’s give it a try so I just picked a random website lets to say asdf.com

Now, asdf.com is a cryptocurrency exchange website, and in a general way I tried to scan the website while doing the testing I came across the login page and got to know that we can create an account and so after creating the account I found out a place where we could request for password reset for our account. On the login page there was an option of reset password so just to give it a check I requested for my password reset through that reset option, The forgot password link was something like this,

www.asdf.com/resetpsswd/email=hacker2202@asdf.com&token=aknajdnskvbskfv34tr34nj3rrff33grjqw

Here if you notice, there’s and email change option. I tried changing the email address and checking the link and what a stroke of luck it was just 5 minutes of testing I got the bug, but after changing the email I was not able to change the password as the site has 2-factor authentication implemented.

As the 2-factor authentication was implemented I thought we cannot do anything of it now as altering the email doesn’t work, but suddenly I saw a mail-in my altered email inbox it was from the asdf.com it was like,

I got a new reset password link of that account to my altered email address.

So what was happening was

when we are requesting a password reset for our account we were getting a mail and that reset password link had token expiration vulnerability ( it was not expiring the token after one use)

2nd the problem was when I was altering the email and processing the link I was able to get a new reset link to my altered email address of the victim’s account (not exactly same but something like Http pollution attack)

So in this way, I was able to earn good, client-side attacks also pay very well if we show the attack scenario properly.

What might be the fix for this type of issues?

• Token Verification & Expiration.
• Avoiding unnecessary Parameters Like Email
• Implementation of 2 Factor-Authentication.
• Most importantly checking the workflow of that section

This was just an example for client-side attack I will be discussing in detail about client-side attacks in my further blogs (Will publish it soon)

“So Next time you see any parameter try to play with it who knows you might get lucky and get some bucks added to your account”

This blog I have only made for the specific findings only, Do Subscribe to my blog if you find it useful!!!

Hint for the next blog: Is it possible to hijack a browser through XSS?

Today I am here again with a topic known as Insecure Direct Object References (IDOR), I got this vulnerability while doing a VAPT(Vulnerability Assessment & Penetration Testing) for a client.

What is it?

According to wiki
“Insecure Direct Object References(IDOR) occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example, database records or files.”
In simple words, it’s like

“Getting sensitive information by just changing a few values in the parameter“

How an IDOR(Insecure Direct Object References) works?

Here In the above Fig. you can see that an attacker is requesting the server to get his profile information with user id “101” in return, he gets his profile information from the server now he tries to manipulate the user id value to “103” and still he is getting a 200 ok response. It means the server is not doing a proper verification for the user’s requests. It’s just passing the response for any value. Thus this is IDOR.

Now coming to the topic, Is the IDOR just for that? Try going a bit deeper inside the application.

Suppose if we get the HTTP methods enabled with this IDOR What all a hacker can do here? Think about it!

Here is the sample request that shows IDOR vulnerability,

Here if we change the user id to something else we are getting any other user’s profile information & there’s a lot of critical information here, Now after this, we can stop here and directly report it or well try to get a bit deep inside it. Can you see the HTTP methods enabled in the response field?

What are HTTP methods and what are they used for?

HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. In simple words, we can say,

“It’s a way for connection between the server and the user”

There are total of 9 HTTP methods, they are

GET:- The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.
HEAD:- The HEAD method asks for a response identical to that of a GET request, but without the response body.
POST:- The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server.
PUT:- The PUT method replaces all current representations of the target resource with the request payload.
DELETE:- The DELETE method deletes the specified resource.
CONNECT:- The CONNECT method establishes a tunnel to the server identified by the target resource.
OPTIONS:- The OPTIONS method is used to describe the communication options for the target resource.
TRACE:- The TRACE method performs a message loop-back test along the path to the target resource.
PATCH:- The PATCH method is used to apply partial modifications to a resource.

Now Coming to the topic, In the above request if we change the HTTP method from GET to DELETE, will it delete the user from the database?

Yeah, it’s working, we are able to delete the customer just by changing the request method.

Now if we are able to fetch information by GET and erase the information by DELETE, then why not give a try to PUT method.

Here if we use the PUT method, we are able to edit/change the customer’s information, like first name, last name, dob…etc, or it can be anything, so how can it lead to full account takeover

There are two ways we can do that,
1) Using the PUT method change the password
2) Using the PUT method change the email and contact no

Once we change the email and contact no. We can request a new password from the reset password page and then just change the password.

Thus this leads us to a single account takeover. How can we take down the whole company then?

The answer is BRUTE-FORCE the user id field with the PUT method.

Thus we need to do a brute force attack by adding the email field in the request and use intruder to brute force it. Within a few hours, the company will be down none of the user’s will be able to relogin.

Thus in this way, we could take down a whole company by
Insecure Direct Object References(IDOR).

What will be the mitigation for the IDOR?

1) Avoid Exposing Direct Object References :-

In this try to avoid exposing the direct object references like “www.xyz.com/user/23456” instead try configuring in this way “www.xyz.com/myprofile“ and use the information already present in the user’s session on the server to locate the resources to serve.

2) Check User Access at the Data-Object Level :-

Add proper Authorization while implementing the server-side access controls, it is relatively obvious to add authorization checks at the functionality or route level. A common issue that causes this vulnerability is missing access checks at the data or object level to protect against tampered IDs in URL parameters. You need to enforce the data layer access controls by verifying that the current user owns or is allowed to access the requested data.

Thus this was all about today’s topic, Hope you like it, Subscribe to my blog for further updates on security.

Hint for the next blog:- Bug bounty can be done in 2 ways hard work and smart work which one you prefer?
…. To be continued

Till then Happy hacking!

At this moment a majority of them would have thought the Vulnerability would be a server-side issue, but Unfortunately, its a simple Vulnerability leading to full account takeover. The vulnerability was in the login portal, I guess some of you are familiar with this vulnerability.
First of all, let me tell you about this vulnerability which I like very much because it pays good enough & I have found it many times in different ways and the vulnerability is Full Account takeover, Account takeover can be through any method we just need to take over the account in any possible way, here the account takeover was done by Brute force on login portal. Now, what is it and how to find it?
For those who don’t know what Brute force attack is?

Brute force is a way of trying to bypass the login form or it might be any other form which needs a password to open that file or system. In simple words, we can say it’s just the process of guessing the password.

Here what I did was I created an account and was just checking for its requests and responses by intercepting the request through burpsuit, after some time checking for the minor vulnerabilities, I went to the forgot password page. Now the real problem was here when I was requesting a password for my account the server was by default setting a new password for my account and sending it to me via mail. When I received mail I saw the password was in a format such as
“Ab3CdF”

and it was a 6 digit password, to reconfirm the combination I requested the password for 100 times by this I got to know that there is no rate limiting implemented on the login page and forgot password page, Now we have the format of the password and nobody is gonna check us if we use it for brute forcing the account but it’s a 6 words password still we get a hell lot of passwords and its nearly (56,800,235,584) this much, now it’s really a lot of passwords for checking one account but we have the password format, So Here we can write a python script for generating the password or there are many other tools which will do the work for you. Thus once we generate the passwords we can use the burp-suit intruder (some thing like this)

to carry out the brute force attack. Thus this leads to Full account takeover.

Thus this was all about this Vulnerability. There are many other ways for full account takeover and I guess this is the easiest one to understand,
I will be writing blogs, one by one on various ways to take over the account and my other bug bounty experiences. so this is it for the day, thank you for reading the blog. Meet you soon with something more exciting things in bug bounty/ penetration testing.