Developer’s mistakes leads to full ATO!
A wise man once sad “In order to get high quality bugs, start playing with the website’s functionalities.”
So ahem! enough fun, now let’s start.
Some context about the functionality of the web application:
Let’s consider the website as redacted.com, so while exploring the functionality of redacted.com, I came accross a feature which allows a user to invite his colleagues and work together on a project.
So whenever we see some functionality with a low level and a high level user, we try to see if we can escalate the privileges. I thought the same. But fate had different plans for me :)
So I fire up my burpsuite and started intercepting the requests, analysing the behaviour and flow of website over different functions.
Then I went on to play with the invite colleague functionality.
In the email field I entered the email address of a non-existing user and clicked on “send invite”.
I intercepted the request in burpsuite and it blew my mind .
When I invite someone to collaborate on my project, I was actually able to takover their account due to developer’s silly mistake.
After sending invite when I captured the request, I could see in the body that it contained password corresponding to that email, and now using this password, I am able to login to my colleague’s account and hence a successful account takeover.
And also I want to thank my friend Saransh Saraf aka (MR23R0) for helping me throughout this ❤.
Follow me on instagram: https://www.instagram.com/yashdharmaniii/
Follow me on twitter: https://twitter.com/yashdharmani4
My LinkedIn Profile: https://www.linkedin.com/in/yash-dharmani/
Follow saransh on Instagram: https://www.instagram.com/sarans0x00h/
Saransh’s LinkedIn Profile: https://www.linkedin.com/in/saransh-saraf-2b514b20b/
Thank you ❤.