Hello Masters and Learner I hope you are doing well and always put your efforts to secure the world so that no can get benefits unethically.
the main reason why i am writing this article is that sometime when we lose hope that time we just need to think outside of the box xD .
While testing h1 private site for finding some basic issues i found that the site have email verification mechanism. The main function of this mechanism is to send a 4 digit(OTP) verification code and email link to the user provided email.I thought how can i bypass it 🙂
Try to Brute force verification code but failed they have rate limit there i thought that i m failed to get bypass.
But wait try one more time i go through burp http Req history and found this request interesting which is used for adding email.
Request:
POST /registerNewUser HTTP/1.1
Host: www.site.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
Referer: https://www.site.comlogin
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 171
Cookie: foo
DNT: 1 Connection: close givenName=test&familyName=test&gender=0&email=test@gmail.com&tz=20&agreePrivAndTC=true&password=value&action=send-verification-web
I Tried to Add Such test@gmail.com as email i get shocked by viewing the Repose because it leaking the verification link.
Response:
HTTP/1.1 200 OK Server: nginx
Date: Thu, 28 Jun 2018 06:47:49 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 54 Connection: close X-Powered-By: Express Cache-Control: private, no-cache, no-store, must-revalidate Expires: -1 Pragma: no-cache
Access-Control-Allow-Origin: *
X-Frame-Options: SAMEORIGIN
ETag: W/”36-zOgjh98O1kXD4SR66HqUdT6UxdM”
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
{“key”:”the verification link”,”success”:1}
After seeing the verification link my feeling was.
I just Reported the issue and rewarded $200 bounty for this issue.
The verification key was in: ETag: W/”36-zOgjh98O1kXD4SR66HqUdT6UxdM” ?