Hi, This is Ali Raza how are you all hope doing great work and making good money. So today I will discuss on my last month finding in which I was able to takeover any account on private program
So I started my hunt by doing subdomain enumeration for doing subdomain enumeration I go with tools like aquatone , sublister and knockpy … so after finding some subdomains of target web let’s check the for the vulnerability name Subdomain Takeover but un luckily I didn’t find any
now i came to main target.com and try to enumerate all functions by going to target.com help center which is help.target.com and wrote down all functions in my dairy .. after reading and understanding all functionality of target.com let’s just simply create an account …
then i check all the functions for CSRF And IDOR vulnerability but did’t get any success
now after some disappointment i simply go to logout and logout my account on target.com
after taking some break i again open my laptop but this time i forgot my account password now i simply come to reset password option and put my email there and intercept the request using proxy tool
the request was like this : https://target.com/identity/v2/auth/password?api=somesortofkey&resetPasswordUrl=http://target.com
I try Host Header injection and X-Forwarded-Host: header in it but unluckily i did’t receive a reset password token with my malicious host
if you check the link which i showed you above you can see that there is a suspicious looking parameter name resetPasswordUrl=http://target.com i just change resetPasswordUrl=http://target.com to resetPasswordUrl=http://www.aliraza.com/
and forward the request
when i saw my email , I saw that https://aliraza.com/was replaced with http://target.com and the token was like http://www.aliraza.com/auth/password/new?token=xyzxyzxyzxyz
Reported the issue
reply : we are looking into it
Bounty: $$$$ ❤
