Account Takeover Poc

Account Takeover Poc

Hi,This is Mubassir Kamdar how are you all hope doing great work and making good money.So today i will discuss on my last month finding in which I was able to takeover any account on private program

So I started my hunt by doing subdomain enumeration for doing subdomain enumeration I go with tools like aqautone , sublister and knockpy ... so after finding some subdomains of target web let's check the for the vulnerability name Subdomain Takeover but un luckily i did't find any

now i came to main target.com and try to enumerate all functions by going to target.com help center which is help.target.com and wrote down all functions in my dairy .. after reading and understanding all functionality of target.com let's just simply create an account ...

then i check all the functions for CSRF And IDOR vulnerability but did't get any success

now after some disappointment i simply go to logout and logout my account on target.com

after taking some break i again open my laptop but this time i forgot my account password now i simply come to reset password option and put my email there and intercept the request using proxy tool

the request was like this : https://target.com/identity/v2/auth/password?api=somesortofkey&resetPasswordUrl=http://target.com

I try Host Header injection and X-Forwarded-Host: header in it but unluckily i did't receive a reset password token with my malicious host

if you check the link which i showed you above you can see that there is a suspicious looking parameter name resetPasswordUrl=http://target.com i just change resetPasswordUrl=http://target.com to resetPasswordUrl=http://www.mubassirkamdar.com/

and forward the request

when i saw my email , I saw that http://www.mubassirkamdar.com/ was replaced with http://target.com and the token was like http://www.mubassirkamdar.com/auth/password/new?token=xyzxyzxyzxyz

Reported the issue

reply : we are looking into it

Bounty: still waiting for it hope it will be a good $$$$