BugBounty: C S R F at Password Reset Page
Hi everyone, i hope you all are doing good and having a wonderful day. In this article, I am going to show you how i found csrf vulnerability in password reset functionality thanks to the famous Web Application Hacker’s Handbook. So, let’s get started.
First of all, let’s talk about what is CSRF vulnerability. In simple term, this vulnerability allows attacker to perform action on behalf of the user/victim. Suppose there is a website where we can send or receive money. For sending money, the website generates the following URL:
Now if the server is not properly validating whether the request is coming from victim or attacker, then attacker can malform the url and then send it to the victim like this:
As you may have guessed, when the victim visits this link, the money will get transferred from victim to attacker’s account.
This is one of the exploit scenarios of CSRF vulnerabilities. Sometimes, it could lead to full Account Takeover!!
For more detailed explanation, you can visit https://portswigger.net/web-security/csrf
Now, let’s jump straight to the story:
I was hunting on a program(can’t disclose the name) let’s say program.com which has all its asset in scope. So the first thing which i did was to enumerate every possible subdomains. For this, i used subfinder,sublist3r and amass. After that i started visiting each sub domains one by one and eventually i found engage.program.com which was running on PHP(i found that odd because all the other sub domains were either using express or django) which raised my curiosity.
So i started hunting on that subdomain, and after around an hour the only vulnerability which i found was open redirection. And after reporting that, The company responded that it was already been discovered by another hacker.
After that i started my hunting process again but even after 3–4 hours, i was unable to find any vulnerability :(
On the next day, I started to hunting again and at this time i realized that there is no csrf protection at the password reset page.
But the old password must be specified to change the password. So, I thought that it might be not a good idea to report this vulnerability. I was about to give up when i remember that in hacker’s handbook i read the exact same scenario in which the author explains that even the old password is required, but if there is no csrf countermeasures the attacker can still exploit the vulnerability with some social engineering skills.
So, as a last resort with no hopes at all, I reported this vulnerability. I was like:
I generated the following poc:
<input type=”text” name=”old_password” value=”Old_Pass” hidden>
<input type=”text” name=”new_password” value=”New_Pass” hidden>
<input type=”text” name=”confirm_password” value=”New_Pass” hidden>
<button type=”submit”>Click Me </button>
After sending them the report, they replied me about 10 days later with:-
I was totally overwhelmed with joy😁😁. And after few days, i was rewarded with 2500rs worth gift cards🥳
1- Read Books😁
2- Always make a proper report of your findings(This is as important as finding the vulnerability)
3- Report everything you find within the scope😎(As you can see, i think may hackers ignored the csrf vulnerability here because of old password is always required)
4- Follow the road less traveled.😉
5- Never GIVE UPPPP!!!!!
So that is it for this article.. I hope you guys learnt something new and i m really sorry if you find my English bad😅
You can follow me on:
UPDATE: If anyone who is interested in hacking windows with just python then they can enroll the course below for free! Just use “FEBHACK” in the coupon.