Hey everyone, I am SYRINE. Cyber Security Enthusiast, eJPT Certified, and a bug bounty hunter.
In this write-up, I will share with you how I got my first bounty from changing every user’s profile section and can mislead the user to a malicious site by combining 3 vulnerabilities in a single request.
One day I got an invitation from a private program (due to privacy concerns, I can’t share the program name so I will call it “iamnerd.com” 🤓 ).
Started testing on it, I filtered out subdomains on basis of status codes in different files (200.txt, 403.txt, 404. txt)
- 404 for subdomain takeover
- 403 for forbidden bypass
- 200 for further testing and automated scans
I found an API domain in 403.txt (api.iamnerd.com) and I also successfully bypassed it but it doesn’t consist of any useful information. There is also an option for a password reset function. I logged in to the application, clicked on the password reset option, intercepted the request, and checked for the rate limit. it has the rate limit but when I removed the “YII_CSRF_TOKEN=” parameter from the cookie, I was able to bypass the CSRF token, and no rate limit works.
Note: it means that the developers have not properly configured the CSRF token which is possible that other applications could be vulnerable too.
I reported it but as I expected, I got not applicable because it was not impacting the application.
I head over to the main domain, signed in and the first thing I always test is the profile section so I quickly get on it, click on the edit button, and intercepted the request, luckily I got so many parameters to test on. it already seems vulnerable as the request contains so many ID parameters and everyone is different, which seems to be like they are all configured differently for all different things, like profile username, first, and last name has a different user id and about section have a different user id and profile photo have a different id, etc… I tested each of them and found the part which is vulnerable.
"entities": [
{
"id": 1234567, --> user-id
"rank": 0,
"content": "<p>Hello, I'm {username}</p>", --> user description
"editable": true
...
...
...
"YII_CSRF_TOKEN": "thiscsrftokenissosexyandamazingthingisthaticannotguessitlol" --> CSRF token
here, we can see all of them look very suspicious (“YII_CSRF_TOKEN” → the same token we have seen before) I have tested all of them and these are the things that I have found vulnerable…
Vulnerability 1
id → vulnerable to IDOR as I am able to change other users about sections by just changing the id 🙂 but how we can change the about sections details? here comes the next vulnerability…
Vulnerability 2
content → it looks like it’s directly taking HTML payloads… so… XSS, but sadly, it’s not vulnerable to XSS but still vulnerable to HTML Injection which helps me able to convince the user to click on a malicious link 🙂 How??
"content": "we need a verification. Please login to the application again by clicking <a href=\"http://evil.com\" rel=\"nofollow\">here</a>"
Vulnerability 3
YII_CSRF_TOKEN → as usual it’s not configured properly like before but this time I don’t even need to remove it. it’s just not working at all which allows me to flood the request 🙂
IMPACT:
Combining all three at one. I can change everyone’s about section and can redirect them to the malicious website or redirect them to the same-looking login page of iamnerd.com and set it like that whenever a user login with an id password, it will be directly forwarded to me which can cause a full account takeover 🙂
I reported this vulnerability and this time…
HURRAY!! after facing many burnouts, duplicates, and not applicable, I was able to get it.
Thanks for reading till here. I hope you have learned something new from this article.
Thanks for reading this article… ❤
Connect with me…❤
Twitter → S Y R I N E
LinkedIn → Avyukt Khatri
Discord → S Y R I N E#9799
