Hi Fellow Hunters, hope you are doing well and taking care of your health in this pandemic situation, my name is V3D (Ved Parkash). I want to write a quick write-up on my recent finding which is a BROKEN ACCESS CONTROL LEADS TO CHANGE OF ADMIN DETAILS.
Without any Further ado.. Let’s Start.
Using Google Dorks, i started searching for private programs.
Here are some dorks for searching Private Bug Bounty Programs.
“powered by bugcrowd” -site:bugcrowd.com
“powered by hackerone” “submit vulnerability report”
Then i came across a program REDACTED.COM which i immediately started looking for bugs.
As usual I started with subdomain discovery and i got nearly 30 subdomains and after probing with httpx i got 20 alive subdomains. I started checking for functionalities that each subdomain has, there are only 2–3 subdomains with some functionality. I started checking bugs in Password Reset Functionality, Email Verification Functionality and checking for flaws in input sanitization. I am unable to find any bugs in these functionalities.
I recently read a write-up by @sunilyedla.
You can check it out here -> https://sunilyedla.medium.com/simple-sweet-bypassing-email-update-restriction-to-change-emails-of-team-members-6ce5770e7929
In this write-up, sunilyedla bhai came across a target in which users can invite other users in various different roles. I thought to check that functionality in my target since it also contains the same functionality where an admin can invite a user
I created two accounts an admin account and a user account to test the functionality. There is a section where a user can view the details of his account and the admin who invited him.
A user can
→ Invite other user
An admin can
→ Invite other user
→ Remove any user
Here user can edit his details but he can only view admin details and cannot edit them.
Here i thought Let’s check if there is a flaw in Update Functionality. So i tried to update user details and to my surprise i can see the admin details are also being passed in the request. You know what to do know, Yeah you are right i changed the details of admin and to my surprise there is no back-end check and i successfully able to edit the details of admin.
To confirm the Vulnerability I opened the admin account in another browser to see whether the details are updated or not.
And they were successfully changed, i can edit the first name, last name and mobile number of admin. I quickly reported the issue and the team triaged it immediately but the severity is set to P4 by the team, I explained about the severity clearly to team and they bump it to P2.
Tip: Never Forget To Check Functionality, there is a huge scope for finding bugs in Functionalities
Special Thanks to my dear brother’s: Aditya Shende, Sunil Yedla, Harsh Bothra, Manas Harsh, Aditya Sharma, Shubham Bhamare, 0xdln, The XSS Rat
Hope you learned something new. If you liked the write-up give it a clap and follow on twitter V3D