This is part 3 of P4 bug’s if you haven’t check previous part then check it out. Part 1 , Part 2
Hi everyone, I am socalledhacker, i am a security researcher , penetration tester, certified ethical hacker and a web3 noob. In past months, I have discover lots of bugs but in today’s article we are going to discuss about low hanging fruits or P4 vuln’s as they are very easy to find and also present in almost every website. So let’s start with our first vulnerability.
1. Token is invalidated after use
There are various types of tokens that are used by a website such as reset password token, verification token, invite user token etc. if these types of token is not expired after use or you can use these tokens multiple times then it’s a bug.
Criteria — after using verification token account should be directly opened without asking for credentials.
Time for creating POC for this..
Description:- Reset password token is not expired after single use.
Steps to reproduce:-
- Open the URL https://site.com
- Go to Forgot password page
- Enter your email id and you will receive a reset link
- Change the password multiple times using the same reset link
- The password gets changed every time.
Impact:-
The attacker can reuse the reset token of the user and update the password which would lead to an account takeover
2. HTTP by default
In this bug if the domain is running on http in place of https or the domain doesn’t have ssl then it’s a vulnerability.
Criteria — this bug is only accepted on self hosted programs.
POC time..
Description:- The website is not fully protected by an SSL certificate. This could allow an attacker in a Man-in-the-Middle position to obtain usernames and passwords of users visiting the site.
Steps to reproduce:-
- Open the domain — http://site.com
- Copy the URL and open a new tab
- Paste the URL and add a “S” in the domain
- If the URL not opens on https then it’s vulnerable
Impact:-
If a user were to visit this page from a public or shared network (eg. office, airport, library, etc.) and login into an account, a malicious user on the same network would be able to obtain that user’s username and password by conducting a Man-in-the-Middle attack using Wireshark. This would allow the malicious user complete access to the user’s account.
That’s it for this article I will upload more articles related to web2 bugs covering all p4 to p1 bugs in near future so stay tuned … 🙂
Buy Me a Coffee : https://buymeacoffee.com/socalledhacker
Follow Me On :