Skip to content

P4 bug’s and their POC steps | Part 7

This is part 7 of P4 bug’s if you haven’t check previous part then check it out.  Part 1 Part 2Part 3Part 4, Part 5, Part 6

bugs

Hi everyone, I am socalledhacker, i am a security researcher , penetration tester, certified ethical hacker and a web3 noob. In past months, I have discover lot’s of bugs but in today’s article we are going to discuss about low hanging fruits or P4 vuln’s as they are very easy to find and also present in almost every website. So let’s start with our first vulnerability.

This bug is also consider as P4 bug. This bug is simple as you can understand this by it’s name. Like lot’s of website have comment section and they have a specific feature of report other user comment if you found that sensitive.

In order to exploit this feature let’s say there is no rate limit on that and the comment got deleted after a specific number of reports to that comments, now you can capture the report comment request to Burpsuite and send it to intruder and start attack and after a number of request you will se that the comment got deleted.

POC Time… 🙂

Description:- The “report comment” functionality on the platform allows users to report comments that may be offensive or inappropriate. However, there is no rate limiting on the report request, which enables an attacker to automate the reporting process and reach the threshold number of reports required for comment removal.

Steps to reproduce:-

  1. Visit page https://example.com/blog/page4/report-comment?comment_id=33
  2. Report this comment and capture request in Burpsuite
  3. Send this request in burpsuite intruder and start attack
  4. After few minutes the user comment got deleted

Impact:- The absence of rate limiting on the “report comment” feature allows attackers to automate reporting and remove legitimate comments without genuine user input. This can lead to unauthorized censorship, negatively affect user experience, and erode trust in the platform’s moderation capabilities.

Email verification bypass can perform in many ways let’s see some of these cases.

Case 1:- Unprotected Account Activation URLs

Some websites use predictable URLs for email verification, like example.com/verify?user_id=1234. If these URLs do not include a sufficiently unique token or other secure identifier and simply rely on a user ID, an attacker could attempt to access example.com/verify?user_id=1234 directly, and by this you are able to varify any account without email verification link.

Case 2:- Predictable Verification Tokens

If the website uses easily guessable or incremental tokens, like example.com/verify?token=abcd1234 where the token pattern is predictable, you can force browse through possible tokens to activate other users’ accounts. This case is rare to find as randomization of token is done by almost every website.

Case 3:- Bypassing Verification Status Checks

In some cases, you can directly access sections of the site meant for verified users if the site doesn’t enforce verification checks on restricted actions. For example, if the site fails to check a user’s verification status at each sensitive action, attackers could simply skip the verification step and proceed to use the account. There is also another way for this if the site is using “is_varified: false” then you can try bypassing that also just by “is_varified: true”

Case 4:- Direct Access to the Verified User Area

Sometimes when you signup to a website and it won’t allow you to access any features or anything and asking for email verification then you can try some of predictable URL paths (e.g., /dashboard or /profile) that you can directly access by typing the URL in the browser. This might gives you the access of website without verification.

Case 5:- Verification email hijacking

Sometimes, when you change your email address on a website, it will send a new verification link to confirm the change. However, if you don’t verify it right away and then change your email again to a different address you want to hijack, the previous verification link might still work. By clicking the first link, you might be able to verify the new email address without needing access to it. This allows you to hijack the target email on the account if the system hasn’t invalidated the old verification link.

Impact:- The impact of bypassing email verification includes unauthorized account access, risk of impersonation, potential account takeover, and undermined trust in the platform’s security measures.

That’s it for this article I will upload more articles related to web2 bugs covering all p4 to p1 bugs in near future so stay tuned … 🙂

Buy Me a Coffee : https://buymeacoffee.com/socalledhacker

Follow Me On :

Leave a Reply

Your email address will not be published. Required fields are marked *