Wait Time Bypass for fun and Profit
Hello hackers, I am back with another bug bounty write-up. In today’s blog, I am going to show you how I was able to bypass a ban time of 20 Minutes.
This bug was on one of the domains from the Automattic. *.intensedebate.com is in scope. I started hunting for issues on the main application, which is a debate platform with a variety of features like creating posts, sharing opinions, and more.
I created an account and spent 2 hours looking for bugs such as IDOR, XSS, Business Logic bugs, Access control related bugs, SQLi, Account Takeover and Information Disclosure but not got anything in my hand. During performing password brute force on http://intensedebate.com/ login page, I got banned for 20 Min.
My all time habit is to capture each and every request in burp suite. So, I started looking for all HTTP request of http://intensedebate.com/ in my target tab of burp suite. I came across one GET endpoint that seemed particularly interesting to me.
The URL is http://intensedebate.com/js/commentAction/?data={"request_type":"2", "params":{"blogpostid":1, "acctid":1, "email":"user_email_id", "pass":"user_password", "firstCall":true}}
As you can see, the path is having email
and pass
as a parameter in the GET request. I open the URL in the browser with the correct credentials and landed on a JS page.
I notice that the JavaScript page have several clickable links, including a ‘Send password reset’ link (as you see in the image). I clicked on it without entering anything and was redirected to a 404 page but at the same time i got logged into my account.
What I did next is, first I get myself a ban of 20min through brute-forcing and then open the GET endpoint http://intensedebate.com/js/commentAction/?data={"request_type":"2", "params":{"blogpostid":1, "acctid":1, "email":"user_email_id", "pass":"user_password", "firstCall":true}}
with my username and password, and clicked on the Send password reset link and got logged in to my account this is how I bypass the 20Min wait time.
Tip: Always capture each and every request in the burp suite and later review it all.
Timeline:
Jan 19, 2021 — Reported
Feb 4, 2021 — Fixed and $$$ Bounty awarded
Thanks for reading, hope you learned something new. Do clap and share if you like. I will write more of my findings soon so, stay tuned for my next write-up. Happy Hacking!
Twitter: 7he_unlucky_guy
Linkedin: Vijeta