Hey Guys ,
Today I Am Going To Explain A Cool Authentication Bypass From My One Of My Findings
Firstly I Was Surfing the site (site name not disclosed because its a private bounty) , And I Found That A Cookie name "authentication_token" was generated everytime you login and it also validates on server side
the cookie is something like this
" authentication_token=56S-A31-1212 "
next I have logged out , And Logged in Again , The Cookie changed to
" authentication_token=56S-A31-8980 "
And After Seeing This i was like :o
So Only last 4 numbers are changed ,
Now I Have Logged Out . And Added Cookie " authentication_token=56S-A31-0000 " (some random number) , then i have refreshed , but didnt get logged in
.jpg)
well , I Opened Brup , I created A Wordlist For all four Digit Numbers , Then i Started Brup Intunder as There was no rate limiting , So i Got Success \m/
"authentication_token=56S-F32-5650"
" authentication_token=56S-G05-9090"
So it Was interesting , First 56S was not changed But Next 3 there digits were Changed ! , So I was Crawling site for more information
Next , I Was editing my profile pic , And I got An Intersting Thing \m/
POST /edit-profile HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cookie: authentication_token=56S-A31-5450
Content-Length: 93
Connection: Keep-Alive
Accept-Language: en-US
id=5631&...etc
i removed Some parameters and http headers because they disclose site name and some usefull date :)
So I have seen that my id is 5631 :D , now see the cooke 56S-A31- 5450 ,so There is some resemblence :D , See this part 56S-A31 ,now remove letters it becomes 5631 , which is our id :D
now lets understand the first 3 digits
so after a deep crawl i have found that 56S means , 56-silver , which means the site has three membership ( silver , Gold, platinum)
the members who take free trail they get 50S-60S
the members who take gold membership they get 30G-40G
the members who take platinum , lol i dont knw , becuase i dont have that many $$ to buy a platinum membership :P :P
So got some juicy data :D
now lets understand middle three digits
A31 means nothing but A-row 31st member :D
So Now Lets Pull Everything Together :D
.jpg)
now ,Lets Hack Some gold Premiumship members :D
i Created A Cookie " authentication_token=36G-A41-6766 " ( some random )
so we are hacking goldmemership A-row 41st member
And Now i was in the air :V
.jpg)
So Successsfully hacked into victims account :D
i Didnt Stop here , now its time to take complete control over account , so we need to change the password , because everytime opening brup wastes much time
huh , it was asking for last password :/ #Fuck
https://www.site.com/reset-password?key=NTZTLUEzMS04OTg3
And the Key Was And Base64 encoded string And I decoded it and got :v
56S-A31-8987
Ah cool :v
Now What Are waiting for :v ,
I have Change the password Of the Gold Member Successfully By This method :D
So I Have reported it to the company , And Got some $$$
Thats it , Thanks For reading :)
Today I Am Going To Explain A Cool Authentication Bypass From My One Of My Findings
Firstly I Was Surfing the site (site name not disclosed because its a private bounty) , And I Found That A Cookie name "authentication_token" was generated everytime you login and it also validates on server side
the cookie is something like this
" authentication_token=56S-A31-1212 "
next I have logged out , And Logged in Again , The Cookie changed to
" authentication_token=56S-A31-8980 "
And After Seeing This i was like :o
So Only last 4 numbers are changed ,
Now I Have Logged Out . And Added Cookie " authentication_token=56S-A31-0000 " (some random number) , then i have refreshed , but didnt get logged in
so my idea is to brute last four digit numbers
.jpg)
well , I Opened Brup , I created A Wordlist For all four Digit Numbers , Then i Started Brup Intunder as There was no rate limiting , So i Got Success \m/
But Wait , I Hacked Into My Account Only But I need To Hack Victims Account :/
So , I created Two Accounts , And Checked The Autentication Tokens were
"authentication_token=56S-F32-5650"
" authentication_token=56S-G05-9090"
So it Was interesting , First 56S was not changed But Next 3 there digits were Changed ! , So I was Crawling site for more information
Next , I Was editing my profile pic , And I got An Intersting Thing \m/
POST /edit-profile HTTP/1.1
Accept: text/html, application/xhtml+xml, /
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cookie: authentication_token=56S-A31-5450
Content-Length: 93
Connection: Keep-Alive
Accept-Language: en-US
id=5631&...etc
i removed Some parameters and http headers because they disclose site name and some usefull date :)
So I have seen that my id is 5631 :D , now see the cooke 56S-A31- 5450 ,so There is some resemblence :D , See this part 56S-A31 ,now remove letters it becomes 5631 , which is our id :D
now lets understand the first 3 digits
so after a deep crawl i have found that 56S means , 56-silver , which means the site has three membership ( silver , Gold, platinum)
the members who take free trail they get 50S-60S
the members who take gold membership they get 30G-40G
the members who take platinum , lol i dont knw , becuase i dont have that many $$ to buy a platinum membership :P :P
So got some juicy data :D
now lets understand middle three digits
A31 means nothing but A-row 31st member :D
So Now Lets Pull Everything Together :D
i Created A Cookie " authentication_token=36G-A41-6766 " ( some random )
so we are hacking goldmemership A-row 41st member
So opened Brup intunder , brute forced the last four digit number :D , thats it got access \m/
And Now i was in the air :V
So Successsfully hacked into victims account :D
i Didnt Stop here , now its time to take complete control over account , so we need to change the password , because everytime opening brup wastes much time
huh , it was asking for last password :/ #Fuck
So , I tried Password Reset , And I Found This
https://www.site.com/reset-password?key=NTZTLUEzMS04OTg3
And the Key Was And Base64 encoded string And I decoded it and got :v
56S-A31-8987
And authentication_token in cookie and key in password reset are same :D
Ah cool :v
Now What Are waiting for :v ,
I have Change the password Of the Gold Member Successfully By This method :D
So I Have reported it to the company , And Got some $$$
Thats it , Thanks For reading :)
Gr8 Job... Amazing n Interesting..
ReplyDeleteawsm ! :)
ReplyDeletecool
ReplyDeleteAwsm wok at DL :v party tym :D
ReplyDeleteThe particular package deal connected with Older Triangle Excursion connected with n . Asia provides your entertainment, delight along with repose and also absolutely gives the most beneficial selection of holiday accommodation also. Older Triangle Trip offer every one of the visitors visitors' ease along with a wonderful selection of rewards in addition to deals to help location involving Glowing Triangle Trip involving upper Of india.
ReplyDeleteGolden Triangle Tour Packages
Rocking way bro...owsm
ReplyDeletegreat finding
ReplyDeletebut bounty should be $$$$$ :v
Thanks for Sharing Leptop Into Hostpot
ReplyDeleteCool
ReplyDeleteI never thought I will come in contact with a real and potential hacker until I knew brillianthckers800 at Gmail and he delivered a professional job,he is intelligent and understanding to control jobs that comes his way
ReplyDeleteContact him and be happy