π U.S. Dept Of Defense: Full Account Take-Over of ββββββββ Members via IDOR
π‘ Newskategorie: SicherheitslΓΌcken
π Quelle: vulners.com
Summary https://βββββββ is a Social Network Site belonging to US DoD. Membership is open to anyone, I have found a method to fully take-over any members' account by exploiting an IDOR bug in the ββββββββββ end-point. By changing the following values in the POST request to the affected end-point: userName originalEmail Email RecoveryEmail I am able to add Recovery Email address of my choice, thus, enabling me to send a password reset link to my attacker controlled email address. I have uploaded a video PoC to demo my finding. Note that the following test accounts were used: Attacker login: ββββββββ Victim login: βββββββ I added ββββ email into the victim account. Note that this only works on victims that have no recovery email address defined or recovery email that are not yet verified. This technique will NOT work on victims' that already have a confirmed recovery email address. Also note, that I am using multi-containers plugin for Firefox, therefore, each tab represents separate browser session. Finally, note that in my PoC video, I had to insert the victim recovery email link ββββββββ/self?guid=βββββββββ into the attackers' session because a valid session is required to validate the email. The session does not necessary have to belong to the victims' session to validate. The IDOR bug can be obtained by intercepting the 2-FA Authentication switch: βββ Vulnerable End-Point Here is the vulnerable POST request when captured, the cookies and __RequestVerificationToken must be... ...