2020-09-27 21:45:21 Author: medium.com(查看原文) 阅读量:206 收藏
Hello Guys !
I hope you all doing well. ✌️
About a month ago, I told you that I found an Account Takeover vulnerability in a web application as in the screenshot below. With the new patch coming to the web application with the vulnerability, I can now share with you how I found the vulnerability.
This is my first bug bounty write-up so im writing P1 qualified vulnerability.,
Lets talk about it.
When I made the tests for NodeBB forum software, I found that the password of the every user account can be changed.
Now I will tell you the steps to exploit this vulnerability.
- First of all, to determine the “admin” user’s uid :
I tried numbers on the place marked with an asterisk(*) and I find that the uid value of the admin account is 1.
https://try.nodebb.org/uid/1 -> https://try.nodebb.org/user/admin
2- I created a user whose name is “testuser1” for myself.
3- I went to the password change page from my user profile and i entered our current password in the first box.Then I wrote in the second and third boxes that the passwords which we want to change.
4- Then, before press the submit button, I opened the Burp Suite, which has a proxy options and I replaced the uid value on the request with 1, which is the uid value of the admin user, and I sent the request.
5- I wrote “admin” in the user name box and the password i wrote in step 5 in the password box.
6- Thus, I obtained the account of the “admin” user.
Thus, thanks to this vulnerability I found in NodeBB company, I won a prize of 512 Dollars. 🏆🏆🏆
You can click the link below to view the NodeBB Forum Software’s Hall of Fame list.
https://blog.nodebb.org/bounty/
Below is the link to the github page, which contains information that the vulnerability has been closed.
https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7
I hope you guys learn something from it and if so give a high five. ✋
Thank you for reading my article. You can reach me at the links below.
Healthy days ! 😷
如有侵权请联系:admin#unsafe.sh