Bug Bounty Adventure -2- (Information Change Without Password)
Greetings everyone from the Promentorium bosporium.
In this article, I would like to inform you about a finding I encountered during the private bug bounty process.
Throughout the article, the application name will be specified as private.com
1. First, I spent time determining which address to perform security tests on, I think this part is the longest part because there are many destinations and addresses connected to these destinations. After I caught my eye on a few websites, I started the necessary research studies.
2. The application had a typical blog structure, you can become a member and share various posts.
3. What can be done in such applications without being a member in general? I try to apply some attack vectors by asking myself questions.
4. After realizing that not much will happen on the target application without being a member, I immediately created a member record and logged into the target application.
5. In the application menus, as in every blog site, there was a field for displaying contacts information and under these menus there were fields such as changing password / changing mail.
6. There are many attack vectors that can be applied in such areas, but among these vectors, I prefer to focus on vectors where “the new password can be determined without the need for the old password or the password information is not required when adding a new mail” because I both save time and enable vulnerability detection in an easy way. .
7. As I explained above, I accessed the personal information section to check the “mail change without password information” vector on the target, intervened with the proxy and examined whether there was any hidden value.
8. I noticed that there is no hidden value and I sent the request to replace the current e-mail address with another e-mail address and I found that it is possible to remove the existing e-mail address and add a new e-mail address without the need for password information.
In addition, you can read that a similar scenario was previously reported on Hackerone at the address I have mentioned below.
In summary:
While trying the popular vulnerabilities on the pages where personal information can be edited, we may forget to try the attack vectors I mentioned above, and if the popular vulnerabilities are not found, we can close the page by thinking that there is no problem. Therefore, it will be both an awareness and an experience for you to test the attacks and similar ones that I have mentioned in my article above.
