Hello, amazing peoples, hope you are doing well, I am back with my new writeup. In this write-up, I am going to explain a logical flaw that I found on one target resulting in the hijacking of the path. So let me explain it in short.
While testing on redracted.com, I found that it was not checking and verify the username eligibility properly. Someone could signup using any existing pathname and takeover the path result which results overwrite of the path when visited.
How Did I found it?
I signed up with username “index.php” then visited my profile and noticed that upon visiting retracted.com/index.php my profile was popping up. Then I quickly notified them with my index.php username account as POC. The next day, they approved and acknowledged me.
What is the Impact?
The Impact of this bug can be pretty high, cause bad actors could simply signup using usernames such as signup.php, signin.php, and many similar usernames and can take over the path which causes a big issue to the organization by making those signup, signing pages unavailable.
Take-Aways:
Try to signup using general path names such as index.php, signup.php, signin.php, and check if visiting those paths shows your profile. If it does, it may be vulnerable.
You can find me here if you wish to connect with me.
Good Bye Till Next Writeup, May luck favors you, Keep hacking, Stay safe!!