Hello everyone, I'm @dhakal_ananda, from Nepal, which is part of I participated in the Hackerone Razer vulnerability reward program. The beginning of this vulnerability reward program is a non-public project, I received the invitation and did not attend; later it became a public project, but it began to interest me. When digging holes, I prefer to bypass security features (such as secondary verification), rather than digging common XSS vulnerabilities and SQL, so I soon began to try to bypass the dynamic password, since it is sensitive to every time you execute It will appear during operation. After conducting several tests, I found that the target application can use a long token to mark whether the dynamic password is entered. Only enter a valid dynamic password before providing token. So what can we do to bypass the restrictions also dynamic password or token of it? I quickly thought, whether the token between different users common? So I was simply trying to find really effective. Steps to reproduce
POST /api/emily/7/user-security/post HTTP/1.1 需要说明的是,在和雷蛇官网交互的过程中,和身份验证有关的有三个字段,它分别为user_id、user_token和OTP_token。其中OTP_token只有在输入动态密码的情况下才能获得。而雷蛇网站缺乏对令牌OTP_token的身份控制,只是验证了其有效性,导致所有的帐户都能利用同一个帐户的OTP_token绕过动态密码验证。 我把报告写的很详细,提交给雷蛇,但雷蛇的审核人员居然认为这个漏洞需要物理接触受害者的机器才能进行?
在经过长时间的扯皮后,雷蛇表示,他们提供一个测试帐号,如果我能更改帐号绑定的电子邮件地址,就认同我的漏洞。 很快,我就把这个帐号和我的电子邮件地址绑定在一起。雷蛇最后也给了我1000美元的漏洞奖励。 在这次经历后,我又找到了另一个动态密码绕过漏洞,在雷蛇修复后将会对外公开。 本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场 来源:https://nosec.org/home/detail/3056.html 原文:https://medium.com/@anandadhakal13/how-i-was-able-to-bypass-otp-token-requirement-in-razer-the-story-of-a-critical-bug-fc63a94ad572
|
Dynamic verification code to bypass the official website of Razer
Guess you like
Origin www.cnblogs.com/wjw-zm/p/11823717.html
Recommended
Ranking