Account Takeover Poc
Hi,This is Mubassir Kamdar
how are you all hope doing great work and making good money.So
today i will discuss on my last month finding in which I was able to takeover any account on private program
So I started my hunt by doing subdomain enumeration for doing subdomain enumeration I go with tools like aqautone , sublister and knockpy ... so after finding some subdomains of target web let's check the for the vulnerability name Subdomain Takeover but un luckily i did't find any
now i came to main target.com and try to enumerate all functions by going to target.com help center which is help.target.com and wrote down all functions in my dairy .. after reading and understanding all functionality of target.com let's just simply create an account ...
then i check all the functions for CSRF And IDOR vulnerability but did't get any success
now after some disappointment i simply go to logout and logout my account on target.com
after taking some break i again open my laptop but this time i forgot my account password now i simply come to reset password option and put my email there and intercept the request using proxy tool
the request was like this : https://target.com/identity/v2/auth/password?api=somesortofkey&resetPasswordUrl=http://target.com
I try Host Header injection and X-Forwarded-Host: header in it but unluckily i did't receive a reset password token with my malicious host
if you check the link which i showed you above you can see that there is a suspicious looking parameter name resetPasswordUrl=http://target.com i just change resetPasswordUrl=http://target.com to resetPasswordUrl=http://www.mubassirkamdar.com/
and forward the request
when i saw my email , I saw that http://www.mubassirkamdar.com/ was replaced with http://target.com and the token was like http://www.mubassirkamdar.com/auth/password/new?token=xyzxyzxyzxyz
Reported the issue
reply : we are looking into it
Bounty: still waiting for it hope it will be a good $$$$
2 Comments
well done !
ReplyDeletegreat work mubassir
ReplyDelete