Easy Bugs: Part Two

on

Easy Bugs in Bug Bounty – Part 2



Bug bounty hunting is an exciting field, and sometimes, the simplest vulnerabilities can lead to valuable findings. In this second part of our Easy Bugs in Bug Bounty series, we’ll explore a new set of common yet impactful bugs that many applications suffer from. These issues are often overlooked but can lead to severe security consequences if exploited.

This guide will break down each bug, explain how to test for it, and highlight its potential impact.

1. Session Management Issues

1.1 Old Session Does Not Expire After Password Change

Failing to terminate old sessions after a password change leaves accounts vulnerable.

Steps to Test:

  1. Create an account on the target website.
  2. Log in using two browsers (e.g., Chrome and Firefox, or Incognito mode).
  3. Change your password in Chrome.
  4. Refresh the Firefox/Incognito session.
  5. If you remain logged in, it’s a bug.

Impact:

Attackers with lingering session access can bypass password changes.

1.2 Session Hijacking via Cookie Theft

Stealing session cookies allows attackers to hijack user accounts.

Steps to Test:

  1. Create an account on the target site and log in.
  2. Use a cookie editor browser extension.
  3. Copy all session cookies.
  4. Log out of your account.
  5. Paste the cookies into the cookie editor.
  6. Refresh the page—if you’re still logged in, it’s a session hijacking flaw.

Impact:

Cookie theft (via XSS or MITM) leads to unauthorized access and account takeover (ATO).

2. Password Reset Issues

2.1 Password Reset Token Does Not Expire

Persistent password reset tokens create exploitable loopholes.

Steps to Test:

  1. Create an account on the target site.
  2. Request a "Forgot Password" token but don’t use it.
  3. Log in with your old password and change your email.
  4. Use the original token—if it resets the password, it’s a bug.

Impact:

Old tokens remain valid, allowing attackers to reset passwords post-email change.

2.2 Old Password Reset Token Persists After New Request

Old reset tokens should expire when new ones are issued.

Steps to Test:

  1. Create an account with a valid email.
  2. Log out and request a password reset link.
  3. Request a second link without using the first.
  4. Use the first link—if it works, the token didn’t expire.

Impact:

Outdated tokens remain usable, risking account compromise.

2.3 Password Reset Token Survives Password Change

Tokens should invalidate after a password change.

Steps to Test:

  1. Create an account and request a reset link.
  2. Use the link to change your password and log in.
  3. Reuse the link—if it changes the password again, it’s a bug.

Impact:

Persistent tokens enable repeated password resets by attackers.

3. Authentication and Authorization Issues

3.1 Broken Authentication: Email Verification Bypass

Weak email verification lets attackers gain elevated privileges.

Steps to Test:

  1. Create an account and receive a verification link.
  2. Note limited unverified account privileges.
  3. Log in and change your email to "Email B."
  4. Verify "Email B."
  5. Switch back to the original email—if it’s marked verified, it’s a bug.

Impact:

Attackers bypass verification, accessing privileged features.

3.2 Email Verification Bypass via Email Switch

This flaw verifies a victim’s email without their consent.

Steps to Test:

  1. Create an account with your email and receive a verification link.
  2. Change your email to a victim’s address.
  3. Click your original verification link—if the victim’s email verifies, it’s a bug.

Impact:

Attackers can hijack accounts by verifying unowned emails.

4. Server Security Misconfigurations

4.1 Missing Cache-Control Headers

Improper caching exposes sensitive data after logout.

Steps to Test:

  1. Log in to the application and navigate secure pages.
  2. Log out.
  3. Press Alt + Left Arrow (back button).
  4. If sensitive pages are accessible, it’s a bug.

Impact:

Data leaks in shared environments (e.g., PC cafes) due to cached pages.

5. Account Takeover Vulnerabilities

5.1 Insufficient Account Process Validation

Weak validation in profile updates facilitates account takeover (ATO).

Steps to Test:

  1. Create an account and edit your name in the profile section.
  2. Use Burp Suite to capture the request and send it to Repeater.
  3. Log out.
  4. In Repeater, alter the email and name, then send the request.
  5. If the request returns a 200 OK and the email is changed, it's a bug.

Impact:

Attackers can overwrite account details, leading to full takeover.

6. Weak Password Policy

6.1 Brute Force and Dictionary Attack Risk

A weak password policy increases the likelihood of successful brute force attacks.

Steps to Test:

First Way:

  1. Check if the password can match the email address.
  2. Check if the password can match the username (if applicable).
  3. Test these during:
    • Account creation.
    • Password reset.
    • Password change in account settings.

Second Way:

  1. Attempt weak passwords (e.g., "123456," "111111," "abcabc," "qwerty123").
  2. Test these during:
    • Account creation.
    • Password reset.
    • Password change in account settings.

Impact:

Attackers can easily guess passwords, leading to ATO and exposure of sensitive data.

Conclusion

Easy bugs in bug bounty programs are often overlooked, but they can lead to serious security issues. By understanding session management flaws, authentication weaknesses, password reset vulnerabilities, and security misconfigurations, you can find valuable bugs with minimal effort.

If you're a bug bounty hunter, focus on these common issues—they might just land you your next bounty! Happy hunting!


Comments

Post a Comment