ACCOUNT TAKEOVER VIA RESET PASSWORD JWT

Hades
2 min readSep 10, 2023

--

In the name of Allah, the Most Gracious, the Most Merciful.

Beginning

At the exact time of 6pm I was still at the office (I had gone home but was still at the office because I was bored at home), because I was bored I finally did a bug bounty by dorking.

With my office laptop used for bug bounty (don’t imitate it, I don’t have a laptop yet hahaha) I started learning and hacking well, I focused on the password reset feature.

Stuck

Some account takeover methods do not work.

Get Some Clue

after being stuck for a few hours, I tried to focus on checking back. Long story short, I read the Write-Up account takeover via jwt, then I applied it by copying the jwt header and payload then checking at jwt.io and looking at the “email” parameters then I changed the attacker’s email to the victim’s email and sent it. after that I checked and it worked.

The Post Request will look like this:

Steps To Reproduce:

1. go to url https://www.redacted.co.id/en/reset/forgotpassword

2. check email and open email for reset password, then copy the url of the jwt sectionthen copy the url of the jwt section

3. go to https://jwt.io/#debugger-io and paste url copy jwt and change email attacker to victim

4. then open the password reset link and enter the password in uppercase letters and numbers

5. intercept on and proxy burpsuite on, In the referrer section, in the referrer section, replace the jwt that we edited in jwt.io before copying and pasting then changing the attacker’s email to the victim’s email. and forward request

6. and it looks like the password has been successfully changed, because there is no validation error from jwt

Conclusions

From this test case, I tell my self that I need to explore all feature and not assume same feature / endpoint not vulnerable based on test in 1 features.

Timeline

· Jun 30 2023 — Report via Hackerone

· Jul 03 2023 — Hackerone Staff Triaged

· Jul 25 2023 — Resolved

· Aug 24 2023 — Bounty $250

--

--