Hello folks, hope you all are doing well Today i will share a vulnerablity i discovered in a bug bounty program which leads to takeover of mass accounts login ito the website so let’s start

animated

Recon Phase

I was pentesting on the domain then i found that there is x-rate- limit option there was no point in reporting no rate limit then i dig more spend few hours in fuzzing, parameter bruteforcing if you wanna more about parameter bruteforcing you can read my twitter post then i came to know the endpoint “/api/v1/users/id” I don’t know what to do next when i send that request it shows that 401 unauthorized I started digging deeper more and more then i found out the real mechanism I saw there in headers there was a csrf token which is use to prevent idor I removed the parameter and send the request this time web server comes with the response of 200 with some json response I was happy because i knew there was the weak authentication token If you wanna know more about this vulnerablity you can read from here here

I start fuzzing on the id enpoint but i got nothing then i saw http history in burpsuite there i saw a request of mine in wich some digits are appearing after the endpoint id that was my forgot password request I create the another account and extract the id of 2nd account then in old reuest i replace the digits of old account from my new account digits but i got 401 i am still stuck at that point I was like :

animated

Then i saw i didn’t remove the csrf token -_- my silly mistake Xd after removing that parameter i get response of 200 means it’s idor confirmed

Chaining the bugs

I was thinking what to do report or find more bugs for chaining then suddenly a idea stuck in my mind i remember i found a bug called no rate limit earlier I suddenly fire up myburpsuite again capture the request of “https://redacted.com/api/v1/users/id/$$’ and create a the payload since there was only 3 digits i tried 3k-5k range numbers and went to do some work after i came back there i see multiple 200 responses and that responses contains session token, user id, password in plain text, etc. and that was only 2k requests in which i takeover accounts of victims.

If you like my content you can buy me a cofee as a support XD

Tip:-

Always spend time on recon don’t try to find out xml, rce type high vulnerablities at first instance try to find technical bugs and one more thing by putting blindly xss,sqli,ssrf and ssti payloads doesnt make you hacker but recon and patience does <3

Sorry for my grammer mistakes if any have in article and keep hacking :p