Hello Everyone.
I Am writing my first bug bounty write ups.This is a story of a critical finding.in which i am able to take over anyone account because the application is vulnerable to broken access control vulnerability.
Please ignore my English.
What is Broken Access Control Vulnerability..?
Broken access control vulnerabilities exist when a user can in fact access some resource or perform some action that they are not supposed to be able to access.
Let get started with the findings.
So, this is a private program on bugcrowd and its almost one year old program.
I just started testing on it and reporting two,three bugs and all are marked as duplicate.
So, after this i again login to the application and clicked on my profile tab. And its redirecting to a subdomain/my-profile.And there is password change functionality and there is no current password required to change the password.
Now, i enter the password and capture the request in burp. And i have notice that there is no csrf protection and not any type of authorization token there.
However application is validating the user on the basis of user id.and the user id is encrypted and sent over HTTP get method.
Now i am looking for the IDOR . Creating another account and try to change password of second account by just changing the user id.and i am able to successfully changed the password of second account by only using the user id.
But this is not the end of the story real challenge comes now.
I reported this. And after two days the bug crowd triaged team sent me a message.
They ask me to provide a remote way to obtain the user ID.
Now , i am looking for any remote way to get the user id of any user to takeover their account and making my report as valid one. But i am failed i am not getting anyway to obtain the user ID in two days.
But after two days in the burp proxy->http history tab i find a URL of the same subdomain which contain a payment page and there is a Email field .
I just enter my email and capture the request in burp-suite and sent this request to burp repeater . and i am getting the user id in the response.
Now , I find someone from their company by simple google search and getting one of their team member email id from their twitter profile. And using their email id to getting user id. Now i am able to reset their password and takeover their account.
Step to reproduce:
- Open this URL https://target.com and login with email and password
- Now ,go to my profile its redirecting to https://subdomain.target.com/myprofile
- Now click on password change enter new password and capture the request in burp.send this to repeater.
- Create second account .
- Open this URL https://subdomain.target.com/checkout/?
- Enter anyone email and capture the request in burp and send it to repeater tab and in the response tab you get the user id associated with the given email id.
- Now go to step 3 and enter the user id and click on go.
- You are successfully changed the password and take over the account.
Follow me on twitter
If there is a will there is a way.
