| وَكَانَ فَضْلُ اللَّهِ عَلَيْكَ عَظِيمًا

Summery :

" A missing of server-side password validation , that leads to 2FA reconfiguration bypass through BurpSuite. "

The story :

" i am new to bug bounty hunting , started almost 8 months ago , as any new bug hunter i faced many drops , failures and burnout , many tries on different platforms , different techniques .

i was so close to leave that field 😂, But Alhamdullah i got my first bounty. while i was working on a webapp , That was Self-Hosted Program , let's call it `app.example.com` while going through it discovering functionalities , it seems secure all tries to break the logic or discover misconfigurations was ended with 403 or 401 .

But, while discovering i came cross through legacy interface of the app , that show 2fa setup dialog , either to proceed or logout no skip ,

so i tried to hide dialog via inline css styling Display: none the box was hided and i can use functions normally , but i feel it no/low impact skipping such setup .

so i think such: What if i can skip similar function like this as it seem no server side validation , i came to userProfile settings > 2FA setup , which was previously set.

when click it ask for Account password before proceed , so i tried to send valid password then check the response and here is : 204 No Content

it seems no secure token or post-steps dependent token , so i tried wrong password and intercept the response then change to 204 No Content , Then proceed , it normally proceeded showing two options to choose :

  • google authenticator
  • email link

i selected google authenticator , it showed me QR scanning with GAuth Mobile app entering the password from app … and here the suprise ..

toast message confirm that 2FA successfully set. without need to account password ."

Impact :

  • 2FA Reconfiguration bypass via response manipulation
  • A potential Denial of Use , Especially the missing reset 2FA Mechanism
  • Missing Server-side Validation

TimeLine:

  • 3 Apr → reported
  • 7 Apr → Confirmed
  • 8 Apr → Reward Issued

Takeaway:

  • Even if The app look like secure , a missing of minor detail could introduce a vulnerability so , you are right way continue , Inshaa Allah You will do it.

#BugBounty #CyberSecurity #EthicalHacking #Pentesting #SecurityResearch #BugHunter #InfoSec #AppSec #ResponsibleDisclosure