table of Contents
1. Strange breakthrough
The purpose of this question is to bypass the verification of security issues and gain the authority to modify the password.
Just fill in two boxes randomly like the picture above. After submit, burpsuite catches the following message and sends this message to repeater
Since the question on this page gave an example above, it is enough to delete the two parameters of secQuestion0 and secQuestion1, so at first I thought it would be fine to do the same for this question. But in fact, this operation is to report an error, as shown in the figure below.
Since it cannot be deleted, there should be other weirdness. Since secQuestion is followed by a number, if you modify this number and change it to a non-existent one, will any value or a null value be verified successfully?
As shown in the figure below, construct the payload: secQuestion00 =lily& secQuestion100 =YN&jsEnabled=1&verifyMethod=SEC_QUESTIONS&userId=12309746
Successfully passed the level~
2. Confused code
The server code for this question is in the path shown in the figure below. First, in the parseSecQuestions() function, the parameter name passed from the front end contains the parameter name and parameter value of secQuestion;
Then pass these key-value pairs to the function of the class AccountVerificationHelper for verification
I found the definition of this class, and found that the file has suggested that the vulnerability is in the function verifyAccount(). A closer look shows that the if branch is not covered completely, and the parameter names are not secQuestion0 and secQuestion1.
Three, a simple brain map
