ANONDGR在Bugcrowd上发现一个P1级Account Takeover漏洞,实际为信息级别,在私有项目中发现,项目仅有5-6个子域名,随机选择一个登录页面测试时发现其功能独特。 2026-1-15 08:31:56 Author: infosecwriteups.com(查看原文) 阅读量:0 收藏
Press enter or click to view image in full size
Introduction
Hello Hackers, ANONDGR is here back again with a new and interesting write-up. In this blog, I will let you in on one of my recent findings. On Bugcrowd, I discovered a critical P1 vulnerability called Account Takeover (ATO). But there is a twist to it, so stick to the end. So, let’s start.
You might be thinking, after seeing the screenshot, that if it is a P1, then how can it be informational? Yet, that is the twist. I will explain it later, but now let’s focus on the vulnerability itself.
Initial Observation/Understanding The Application
So I was hunting on a private program that didn’t have much scope—just 5–6 subdomains, and that’s it. Without spending much time on choosing a target, I picked up a random one, which was just a login page.
But the login function was not usual like others we see on the internet; it was a bit unique.
如有侵权请联系:admin#unsafe.sh