Hello friends, it has been a while since I wrote anything. I’ve moved to a new city, so I haven’t had much time to write, but we’ll start 2023 with this new post.
A company asked me last year to perform a Pentest in one of its web applications and this is where this post comes from.
Analyzing the application
As part of the process no credentials were provided for the application. So I started examining the functionality of the app.
As expected, it has a login form. So I started doing several tests to bypass the form, which were unsuccessful.
But there was still the password reset form to check so there was still a chance to exploit something.
Validation
One of the tests I performed was to add a non-existent email, to see what the application responded, as expected it marked an error and told us that we do not exist.
I wondered what will happen if you send an empty request in the email field and what we found out that it doesn’t validate correctly when you send the empty parameter and returns all the records in a JSON. This means that it has no authentication or validation and is probably a Get request.
When I check the console, I can see all the information being printed.
Another interesting data, is that it makes a redirection to a view where it shows us some users and asks to which account you want to recover the password, so now we have the ID number of the user.
Burp suite
When we select one of these emails we get an error because it does not have the email parameter, all this recognition was without using any tool, but now we will move on to Burp Suite.
Once the GET request is captured, we can see what parameter it sends and what it responds. It returns a JSON with all the existing users and their respective parameters.
Capturing the redirection, we can see that it sends a parameter called Idclientcontact, which is needed together with the email parameter to reset the password. When you send the request without the email, the application throws an error, which tells us that a recipient has to be added.
Now that we know what parameters are needed and we have the list of idclientcontact of the JSON, we can make a test and reset the password of one of the clients sending it to the mail that we want, since it is not validating in a correct way the parameter email.
When performing the test we get the response “Success” and the status 200, which indicates that the password reset was successful.
The password is sent by mail together with the user name. With these data we can enter the control panel of the platform.
Summary
By not properly validating the email parameter and not implementing the correct method, an attacker could reset the password of any user exposed in the JSON listing. This would affect the confidentiality and integrity of the data stored by the user in the platform.
