some-image here

From Static domain to Account Takeover

Welcome back to another write-up. In this writeup i am going to share how i found an account takeover from a static domain.I will try to keep things simple, easy and to the point. During my recon i came across this static domain which has nothing interesting on it. Just a picture with the logo of the web app and a disabled html form on the left side. Seeing html form the first thing i did is dir/file busting. But i couldnt find any hidden file or any directory, there was also nothing in wayback machine or on google. Next i opened the source code to see if there is anything interesting there but nothing was there as well.


The last thing was left on that page is that disabled html form. The form has only three input fields that were Name, Country and Email. I tried to use these into url as a parameter like this, https://sub.domain.com/index.html?name=test&country=test&email=test to see if that will populate the disbaled html form and it worked. we can see the name of these input fields in source codes, i always do this for looking for XSS so at this point it was a muscle memeory. When i sent a get request with these parameters i got the same html form back in response but this time there was a submit button right below the form. I clicked on it and i got an error of Invalid Country Code . I used word test in country input field which indeed is an invalid country. Next i tried few valid countries names but i was getting the same error. If we look at the error code its saying Invalid Country Code which means it might be looking for country codes not country names. The next thing i tried is a country code of united states which is US and it went through successfully. But i got a different error this time.


The new error was of Invalid Email Address . I tried few different email domains but it was giving me the same error. At this point i havent looked into what kind of request are being sent to the server and what responses are coming back. I turned on my burp and looked at the request. The first request being sent to /countryValidate endpoint. The second request was being sent to /emailValidate endpoint. We have passed the country error stage and it was time to look into email error. The response coming back from the server was something like that:

	
			HTTP/2 200 OK
			Content-Type: text/plain;
			Vary: Accept-Encoding

			{
			  "is_valid": false,
			  "reason": "domain"

			}

	
	

Seeing that response you can guess my next step, i simply changed "is_valid": false to "is_valid": true and removed the reason from the response. When i forwarded the response i saw a new request in burp which was being sent to /register endpoint bypassing the email error, yeah it was that simple. I spent 1 hour just building this request request. After forwarding the last request from burp i came back to my browser to see the response. I got a response back saying i will get an activation link on my email address but i didnt. I went back to burp to see the response of this last request and guess what, the activation link was being leaked into the response. I opened that link into the browser and i was able to login into my account without having access to that email address. At this point it was just email verification bypass..


Next i thought of using an already registered email to see if i can leak its token. I was expecting an error but when i used an already registered email (the email i used eariler for creaing an account) i got an activation link in the response. And when i opened it i got logged into that same account. An attacker just has to know his victim email and he can easily login into his account by leaking its acitvation link. It took me around 1 hour to find this bug but later i found out there was a valid form for registeration, you will get redirected to this domain where i found this bug if you get an error in your registeration request. An error like invalid email address. I was getting an invalid email error on main registeration website too which needs to be bypassed for leaking activation tokens.


It looks like a simply easy bug but i wouldn't have found it if i have moved on after looking at that static domain. The thing i learnt from this is dig more, no matter if the domain is static, have no content or whatever. Dig deep, try all the things you know, poke around.That's all for today. If you have any feedback or any question feel free to dm me on twitter R29k.Thank you for reading this, i will see you in the next write up.