To People who don’t know me , I Ashutosh Mishra , 3rd Year Btech Computer Science Student, A cybersecurity Researcher by day and bug hunter by night,Mainly love to find Business logic bugs(Account Takeover and SSRF).
Hello everyone this is my second account takeover write up , hope all you have read the first one, if not you can read here. This account takeover was done Three months before on december 2020 , but the response and award came on Feb 2021
Lets Begin , I was searching for a financial websites to hunt , after searching for good time on google , I got a website which was running the bug bounty program . for security purposes lets take the website name redacted.com
This time before starting the burp suite , I started to understand the application flow as the normal user, then I started to spider the website using burp suite , I was searching for some endpoints to find SSRF , but after hunting 3 Hours I could not find any endpoints for successful ssrf.
The next thing which come to my mind is going for the registration and the login page of the website, I tried to put the collaborator link in every request for blind ssrf ,but no success.
As, I am a guy who always look for the ssrf and account takeover , spending around 3 days on the target , got some little hanging fruits, but i was not happy to report , then I started to hunt on login page ,there was two option to login , normal email and password and other was through the oauth , I tried to find oauth misconfiguration , but developers were quite good in implementing the oauth, now next try was to login through email and password with response manipulation , but no success.
It was the time where I was tired and was going to sleep at 2 am , but my eyes went on reset password, so i thought to give a last try on this mechanism,
The reset password was implemented by sending the email instructions to reset password, while requesting the reset password I intercepted the request to response hoping to get the reset token in response but got nothing.
so after I went to my mail , and opened up the reset link and tried to intercept the request while changing the password , i saw the following request
After observing the following request two things came to my mind , one no csrf protection was implemented in the request, but I thought the authenticity_token might be chained with email address(so there will be no use of csrf) so to checked whether the token and email are linked or not , I changed the mail from email@example.com to firstname.lastname@example.org and suddenly something happens , which made me shocked.
There was a notification on right corner , claiming that password has been reseted . To actually confirm it I tried to enter the victim email address and my password and Boom Boom we are inside the victim account , so there was no chaining of authentication token with email address which lead me to account takeover of anyone
Bug Reported: 8 December 2020
Bug Triaged: 11 February 2021
Bounty Rewarded: $2000
Tip: Try to checked token whether it is chained to accounts or not by changing the parameter value
Feel Free to message on Instagram any queries related to bug bounty
Well if you love this writeup drop a clap 👏(50X), let’s connect then: