Hello everyone !!! Hope all are good and fine.
I’m back again, in this is my report i well show How i found creative bug and how able to change the impact from low to high?
Are you exciteabile????
First When I was trying to understand the functions of the target, I found that the user is not allowed to change his email. Well, why don’t we try to change it, but how?
Well, I tried changing the username to see what the request contains?
In this case I add some parameters such as: email , emailUser , Email , Address, email_confirm …..etc
But all my attempts were in failure
I left the target for hours and then tried again…
Well, it worked this time. I found that this parameter changes the user’s email after they confirm it “emailAddress” . This is a vulnerability and a violation of secure design principles
Then, let’s go report, but wait a minute!! why don’t we try raising the impact a little and get a big reward
Have you thought of anything else with me?!
Yahhh, of course
ِAccoount takeover :) , since we can change the mail there may be a weakness!!!
But the road was about to be closed!! because there was a token, but slow down, go back and read My methodology to bypass CSRF token with 5 Methods important !!
I found “method 2” the server is not validated another csrf i able to change csrf to another csrf token account , i have successfully bypassed csrf protection and can perform i own CSRF attack.
add parameter emailAddress via request to success change email > bypass csrf token via change another csrf token account > create csrf POC and reported ATO
Thank you for taking the time to read this piece. Kindly remember to leave a comment sharing your thoughts on the blog if you liked them.
Feed | LinkedIn — My LinkedIn Profile