Member-only story
This post is a sharing of how I earn USD1,250 bounty by spending just 30 minutes in a new target. The target is a private program in hackerone. So, I am not allowed to disclose anything about the target. So, let’s use redacted.com as the name of the target.
When approaching a new target, I have always been testing the application’s function first before fuzzing for other subdomains and directories. And within all the functions, I always test on account related functions first such as user registration, changing contact email, password reset etc. Because if bugs were found on these functions, it normally would be high impact bugs like Account Takeover.
So, as usual, I have been testing all these functions and most of them seems normal to me. Until I test on the password reset function. That’s where the interesting part begins.
I found that the logic flow of the password reset goes like this. Everytime you request a password reset, an ID token would be generated and appended to the password reset link like this: www.redacted.com/resetpassword?id=j2hfh2j2hhfh29abcj and the server would send this link to your e-mail. Thus, what if you can request the password reset for a victim and able to steal the id parameters from the victim? If it happens, you can access the link and reset anyone password.
So, I intercepted the POST request of password reset function. Use param miner in Burpsuite to bruteforce for headers of the request. Then, something interesting comeup. I found…
