Hey there, security enthusiasts π...!
I recently discovered kind of IDOR gremlin πͺ² which can led me to set password for new register account…! Let's call our target as mnop.com for this article only…!
Here's the lowdown:
mnop.com has a signup process where you first enter your email addressπ§. They send a verification email with a special token to confirm it's really you(think secret handshake π€). This token is then used in the next step, where you set your username and password…!
Now, this is where things get interestingπ΅️♀️...!
Using my favorite recon technique ( can't reveal my secret weapon just yet...!), I managed to uncover a bunch of these token URLs . When you open one of these URLs, boom! You see a message saying the email is verified, along with fields to enter your username and password…!
Hold on, where's the recon tip...?! Patience, my friend 𧑠It's coming...! ⏳
The key takeaway here is to keep an eye out for strange-looking URLs π. Not just unsubscribe links (those are important too!), but any URL that seems a little fishy π. These unexpected links could potentially expose personal information or, in this case, let you access someone else's account creation process (major yikes...!).
Feeling confusedππ«€...? Don't worry, I got you...! Feel free to drop a comment below or shoot me a DM on LinkedIn if you need further clarification. Let's keep the web safe together…!
Ohhh I forgot to give you my recon method…!
Here is the link for that recon process article✨: Linkπ