Hey guys
Today I decided to tell you a story of finding a critical bug on a program that had an interesting story behind it.
Finding the high impact bugs is not always hard and challenging , it only requires the high level of focus on a program.
Creativity and finding the logic of a website can increase your speed in the process of finding a critical bug and to come across it.
While ago, it was 2 months that i been working on a single program which lead me to find 15 vulnerability on it.
But unfortunately or not that didn’t satisfy me because I was after a critical bug that could do a real damage on the website.
In the meanwhile I was looking to take down the logic of the website to cause real damage and make a critical bug on it.
To reach a goal like that, there are several test cases that every hacker and bug hunter must keep in mind while testing.
In the change password field, when a user wanted to change his password there was a reset password request sent to the server by the application and then there was an email sent to him containing the temp password.
In the next step, the user had to login with the temp password and then will be redirected to the update password page.
Then they had to enter the temp password and their new password to login to their account again.
At first sight, there was nothing wrong with the functionality of the website when it was attempting to change the password of the user, but in the eyes of a bug bounty hunter things are little different.
Well, that’s where the hacker sense steps into the game.
When a user has an active session on the website and he’s working on the website online, when the update password request is sent to the user’s email, the user’s session is locked until they enter the temp password and update their password without them knowing this is happening by the attacker.
But this wasn’t as easy as it looks, there was a CAPTCHA in our way to making the request which could be bypassed by removing the CAPTCHA parameter.
Now the attacker could lock someone’s account just by having their email which was public in their profile.