Hello Buddies,
Hope You Guys Are doing.I am really a noobish Guy named Abdulwahab Khan.In That Article i want to share a PoC Of one of My Findings in Private Programs At ZeroCopter.
So without Wasting Time Lets Move Forward Towards The Actual PoC.While Testing the Program i dont find any Thing On their Main Website Expect of 2 3 Low Impact Bugs Which i dont Reported Because i knows They are Going to be Duplicate.So I again Looked in to The Bounty Brief And See an Secondry Website So just Started testing It too.After Completing Account Registration i just went to the Account Details for Test of XSS and CSRF Types Attack.Unfortunately they Are Using Good WAF Protection for XSS then i Tried for CSRF attack.The Request Looks Like
Now there 2 Things That are Seems To be Interesting CustomerAccount.CustomerId and _RequestVerificationTokenCustomerAccount.CustomerId=4884c354-5c06-4014-8cdb-978aa7d4fd08&CustomerAccount.FirstName=Abdulwahab&CustomerAccount.LastName=Khan&CustomerAccount.Email=hackertabish786%40bugcrowdninja.com&CustomerAccount.Phone=&profileBirthDate=&myAccountSubscribe=on&profileSignUpDailyDeals=on&__RequestVerificationToken=XdRptyf0jaMfI0VqnRHh7b0g-qo7M420BfdrssU8gNf_md6n4_himhPVpUDn3hYjMmqrqq3cWqE5Znlv7oMRwPtrve5tZ80baAZvzg4Y1NCYCvZqyHc_9nJBcSQt3XTK_rbQ1itYopth1T6eM6H7Cg2
Now I Tried Removing _RequestVerificationToken and Forwarded the Request And It Changed my Profile Settings without validiating Verification Token.
I was Like:
After that i Quickly Created a New Account with another Email address and Captured its Request of changing profile Removed _RequestVerificationToken and Changed it customerId to my old Account and forwarded the request.
Response is :
HTTP/1.1 200 OKNow its time to test that is it really updated on my account and my profile is updated.
Cache-Control: private
Content-Type: application/json; charset=utf-8
Request-Context: appId=cid-v1:6179475f-85be-4c05-84ee-87e58617700f
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Date: Fri, 19 july 2019 10:01:31 GMT
Connection: close
Content-Length: 32
"Your profile has been updated."
That Moment i was:
After Few Moments of happiness i realized how can an attacker exploit it if he dont knows the Victim CustomerID. Then I Started Finding CustomerID by testing API's and JSON Files but Failed Then i was like :
Now i have a Full Scenario of Account takeover by knowing Email of victim.
Using following Steps
- Get CustomerID by Unsub Button
- Change email using IDOR
- Request a new Password on New Email
- BOOOM!
- Reported 19 July 2019
- Accepeted By ZeroCopter Team 19 july 2019
- working in Progress 22 july 2019
- Asked for retest 26 July 2019
- Marked as Resolved 26 July 2019
- Recieved Bounty in my btc wallet 27 July 2019
Regards,
Abdulwahab Khan
Independent Cyber Security Researcher.