So First of all before i start writing about this issue i want you guys to read the blog about Ticket Trick it was written by Inti De Ceukelaire (Thanks to him for sharing this and help us work on it to secure more companies ). This blog is just about my experience with this issue and how i use this issue and got access to help center of a website.
So i got invited to a site and at first glance the site looked pretty secured but one thing i noticed was a simple issue but this issue can be changed into a big one the issue was that when i did Sign Up on the website i was taken straight to my dashboard instead of sending an email or asking me to confirm email address either it belongs to me or not so i was really curious about what i can do with this
Now the second thing i did was to visit https://support.mytarget.com/ and see if they use SSO (Single Sign On) so that i can login to support.mytarget.com using the same account that i have at www.mytarget.com and yes now i know 2 things about my target
- The Target does not ask for any verification at Sign Up
- The Target Use SSO for support portal
Now I created a new Account this time using the email email@example.com
And Yes I was Logged Inn to the Account Already but now here there was another thing about the site the site had like a separate account you have to apply for from your company email so when i used firstname.lastname@example.org i basically bypassed the approval process and was in almost completely different account from normal user because i had agent tools etc that a normal user account didn’t have .
So now after Getting Access to my new account all i had to do was to visit https://support.mytarghet.com/ and Click Login i’ll get redirected to www.mytarget.com/sso….. and will be logged in to support.mytarget.com after that i simply went to my activities tab and DOOM! 🤯 🤯 🤯 🤯 🤯 🤯 🤯 🤯
And That’s all a lot of tickets had passwords, even banking details etc
Now Fun Time the program i was testing had multiple domains in scope but all were connected to one account so creating accounts using emails of all other domains and then checking their support portals i got access to many Support tickets i.e
And that’s All for This blog takeaways from this blog is to always try to abuse the working of an application in order to hack it…