avatarMikeChan

Summary

The author describes earning a USD1,250 bounty by discovering and exploiting a password reset vulnerability on a private HackerOne program within 30 minutes.

Abstract

In a detailed account, the author shares their experience of identifying a critical security flaw in a password reset function of a private program on HackerOne. By spending a mere 30 minutes on the target, identified as redacted.com, the author was able to exploit the vulnerability by manipulating the X-Forwarded-Host header. This allowed them to redirect the password reset link to a server they controlled, potentially enabling them to take over any user's account. The author intercepted the password reset request, used Burp Suite to discover the exploitable header, and successfully demonstrated the vulnerability by capturing the reset ID parameter sent to a victim's email. The report was submitted on January 3, 2021, and after providing additional information, the author was awarded USD1,250 within a week.

Opinions

  • The author emphasizes the importance of testing account-related functions first when assessing a new target, as bugs in these areas often lead to high-impact vulnerabilities like Account Takeover (ATO).
  • The author suggests that the use of X-Forwarded-Host without proper validation is a common issue in applications that serve multiple web apps, which can be exploited by attackers to redirect users to malicious servers.
  • The author commends the HackerOne triage team for their quick response and efficient handling of the reported vulnerability, which resulted in a prompt reward for their findings.
  • The author's approach to security testing involves a methodical process, starting with functional testing before moving on to fuzzing for subdomains and directories.
  • The author believes that sharing knowledge about vulnerabilities and how they were exploited is beneficial for the community, as evidenced by their detailed post intended to educate and inform others.

How I earn USD1,250 bounty in 30minutes

This post is a sharing of how I earn USD1,250 bounty by spending just 30 minutes in a new target. The target is a private program in hackerone. So, I am not allowed to disclose anything about the target. So, let’s use redacted.com as the name of the target.

When approaching a new target, I have always been testing the application’s function first before fuzzing for other subdomains and directories. And within all the functions, I always test on account related functions first such as user registration, changing contact email, password reset etc. Because if bugs were found on these functions, it normally would be high impact bugs like Account Takeover.

So, as usual, I have been testing all these functions and most of them seems normal to me. Until I test on the password reset function. That’s where the interesting part begins.

I found that the logic flow of the password reset goes like this. Everytime you request a password reset, an ID token would be generated and appended to the password reset link like this: www.redacted.com/resetpassword?id=j2hfh2j2hhfh29abcj and the server would send this link to your e-mail. Thus, what if you can request the password reset for a victim and able to steal the id parameters from the victim? If it happens, you can access the link and reset anyone password.

So, I intercepted the POST request of password reset function. Use param miner in Burpsuite to bruteforce for headers of the request. Then, something interesting comeup. I found that X-Forwarded-Host is available.

In case you are not aware of what this header means, X-Forwarded-Host is a header commonly used in Reverse Proxy. Sometimes, one reverse proxy is serving various original host. Thus, when Reverse Proxy need to identify which original host the traffic should direct to, X-Forwarded-Host header would be added to overwrite the host header. In some password reset functions, the programmer might just use its host header to append to the password reset link without any validation. It is quite common if the password reset function is serving different web app. So, if attacker can control the X-Fowarded-Host header, attacker can overwrite the domain of the password reset link and direct victim to visit their controlled server when victim clicks on the password reset link.

So, I try to reset password of my victim’s email (e.g. [email protected]). Intercept request with burpsuite. Then, I fireup a server in requestbin.com and copy and paste the link of my requestbin server and add it to a request with X-Forwarded-Host header like this:

POST /resetpassword?id=kasjdkljasldj1kjlqhfs
HOST: redacted.com
X-Forwarded-Host: <link of my requestbin>

Then, I found that my [email protected] receive an e-mail for reset password. When I clicked on the link, my requestbin server has logged the id parameter of the victim. So, attacker can resonstruct the password resetlink easily and reset victim’s password using this trick.

The bug was reported on 3 Jan 2021. Hackerone triage team has done a great job and after providing some additional information, the bug was triaged quickly and I was awarded USD1,250 for the report within a week of my report.

Hope you guys enjoy my post. See you next time!

Bug Bounty
Infosec
Hacking
Hacker
Recommended from ReadMedium
avatarKhaledyassen
How I Found Multiple XSS Vulnerabilities Using Unknown Techniques

Hello, everyone. I hope you are well.

12 min read
avatarScr1pty
Always Test Default Credentials on Bug Bounty even if it’s 2024

>Small Story Time

3 min read
avatarAhmed Tarek
IDOR leads to Account Takeover of all users (ATO).

Hello everyone , I’m Ahmed Tarek, Today I would like to share with you my second IDOR discovery in HackerOne ’s program, This is my 1st…

4 min read
avatarShubham Tiwari
Best Recon methodology (Shubham Rooter)

What is recon?

5 min read
avatarsM0ky4
XSS | Here’s how I got my first bounty

Not so long ago, I was reading blogs like this, wondering how to find my first vulnerability in a bug bounty program and probably not…

2 min read
avatarMr Horbio
Analyzing JavaScript Files To Find Bugs

Hi Hackers, Horbio this side

3 min read