Hello Guys!! This is my first bug (actually second) which I am sharing with you.
Here we go…
I found this vulnerability while resetting my own password on the vulnerable website, let’s say buggysite.com
As we know, web applications works on client-server model. Client is our browser which sends requests to server and in return server sends the response appropriately.
In my finding, application works on ASP.NET in the back-end. Whenever, someone wanted to reset password he/she just request for the password reset link by entering their registered e-mail. Getting e-mail address, back-end sends a mail having reset link to the address.
Here is the problem, when sending the mail it also sends that mail to the browser as response and attacker can get that mail, whether the attacker have access to e-mail or not.
Steps :
- Go to the password reset page on the buggysite.com
- Enter registered e-mail address.
- Switch on the intercepting proxy(burp, zap)
- Click on Submit and record the response.
- In response, you will find a viewstate with hidden attribute. Copy that viewstate value and decode the base64 encoded string.
- You will find the e-mail sent to the victims address alongwith the link to reset the password.
- Now, change the password and try to login.
- BOOM! You have successfully logged in to the victims account.
Guys, this is my first write-up so if you have found anything which can be done in this blog to make it better then please let me know.
Happy Bug Hunting…
