Hey Folks! Hope you guys are doing great.

Recently I attended Bounty-Bash (live bug bounty event of 2 days) held in Kathmandu, Nepal.

I went to the event and met so many bug-bounty hunters there and most of them were famous ones, so I was not expecting much out of myself 😐 but I did not lose hope and then the event started, all were provided with 3 web application targets.

And the thing noteworthy was that all were single scope targets, with no subdomains at all and all were testing environments not the main applications.

So I started hunting for XSS,SQL Injection and few other OWASP top 10 vulnerabilities, but I did not find anything interesting over there. Hence, I decided to test the password reset functionality of the web-application provided i.e “Having trouble signing in?”. I just clicked on it and it redirected me to Reset Password page.

I entered my username and clicked on proceed.

After Proceeding I faced few security questions to answer and was not having any idea about the same :/ as the event manager provided us the username and password hence the create account functionality was disabled.

So I entered something randomly and captured the request of “OK” in my interceptor tool, now I have to see what response it is showing of my request so I intercepted the response as well and it was showing :

HTTP/1.1 401 Unauthorized

(“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)

I just played with the response and manipulated to :

HTTP/1.1 200 OK

(“message”:”success”,”statusCode:200,”errorDescription”:”Success”)

For better clarification, you can see the screenshot given below:

Successfully manipulated the response and forwarded :)

Now I went back to my browser and saw that I had successfully bypassed it.

successfully bypassed it, now asking for password delivery type.

I have selected SMS and Email Functionality and again intercepted the request while clicking on proceed.

and I saw the request yeahhh!! and surprisingly I got the request with new password and confirm password, I entered “hacker” in both the fields.

I just entered “hacker” in new password and confirm password fields.

as usual,forward the request and went back to browser.

Yippie…password has been changed successfully.

Yeahh!! :D Finally the password has been changed :)

So this vulnerability leads to full account takeover of any user without knowing the security answers.

As I was busy in hunting more vulnerabilities so my report was late and it was declared duplicate bug, so one lucky guy got away with it before me and won the most critical bug award.

But the company awarded me with the bounty :) as the bug was critical.

If you enjoyed it please do clap ! Keep Hunting !!

Follow Me on :

Twitter : https://twitter.com/inn0c3ntd3v1l

Linkedin : https://in.linkedin.com/in/lakshay-oswp-44102a143