My first and last crit of 2020 on Hackerone

Hi friends, I hope you all doing good✌️.

In the month of December 2020 I picked some VDP’s on hackerone. When I was scrolling down this particular target seems interesting to me as it has various wild scope domains and has high crowd of researchers and if I report bugs on top level domains only, then there are maximum chances of getting it duplicate, so to avoid duplicates I googled about the program got various domains from there official site which may not found by other reseachers.

While doing my recon I got this one domain say, at first glance it was normal target not having much functionality in it. It only has basic functionality like user registration and user reset password, so to understand the fuctionality I stated to use it as normal user and analyzed it as below.

User registration — ->User account operations — ->User password reset.

During the process I tried various bugs like CSRF, XSS, clickjacking etc. but no sucess. The target has special feature that it doesn’t provides you full functionality until the admin gives you permissions, so to get permissions a user needs to send request to admin and after verification, the user gets permissions to access the full features. Now you must have think of BXSS and popup the XSS payload at admin side and yes I tried but no sucess.

Second day, when I woke up I fired my burp and stared hunting on the same target, but this time I looked at password reset functionality. During password reset user gets 4 digit pin on his mail, so first thing I tried to check rate limit and it actually worked, the target did not have any rate limit on the reset password functionality. I was able to takeover account of any users with valid mail id. [Note: User get assigned a user id which was getting send on mail as a pin to reset the password]

It was consider as high severity bug and I was happy that I got my first high severity bug on it. After two-three days I thought of having another look at the target in hoping to get some low hanging bugs as I was clicking on each and every functions I got the weird endpoint like where 123 is userid, this link has the request that I submitted to admin including my name, email id and mobile number in it (that is default functionality of the target after sending the request, the form will be at users dashboard with users details in it), so I copied the link and open it in incognito mode and wholla 🎉🎉 it showed me all the details including name, mobile number and email id. After changing the uid I was able to get other users data too😲😲🎉🎉.

Then I linked the password reset vulnerability with this vulnerability and able to takeover every users account in a few seconds, as I was having the vaid userid and mail of that particular user.

I hope you guys learn something from it and if so give a nice clap.

Thank You!! keep hacking✌️…




Cyber Security Learner

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

🌍 We are happy to have SPE listed! 🌍

The cybersecurity commandments: about small causes of big problems

How to Sell Training Costs Internally

Digital Age and Corporate Social Responsibility — A case study of Cambridge Analytica

Sumsub and Smart Engines partner to boost fraud recognition capabilities in the fight against ID…

4 Benefits of Hiring UK Based Transcription Services

Previse Hack The box Write-up | Previse HTB walkthrough

{UPDATE} US Super Speed Human Transmute Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Cyber Security Learner

More from Medium

Triggering Time Delays to Identify Blind SQL Injection Vulnerability

“Previse — Hack_The_Box”

Previse — HTB

Root me: Bash — System 1