Hello my fellow hunters, back with one more write-up which i chained two bugs
The bug is simple,now as usual this is a private site so redacted.com
Lets get started,
Bug1: thu bug is reuse of confirmation link as many times as possible so that an attacker can use it to reset password
Reproduction steps:
1.visit https://redacted.com/signup
2.when u give mail id and your name you will be sent a confirmation link to ur inbox to activate account along with which lets u to set password for your account
3. which u can use as many times u need for every time u use it it always prompt u to set password
Everything is cool till here it will be considered as low impact.. Like they responded me as (150$) So what i can do to increase this as u cannot steal from the user right….
Bug2:So i looked into the confirmation token where i saw that its leaking confirmation token in the referrer with GET Request
Reproduction steps:
1.go to the inbox
2.click the link i caught the request in burp intercept where the referrer header caught my eye with the link
3.which can be shared with third parties
Take aways:This means third party can be able to use it(coz it leaks in referrer) to set the password(coz it can be used multiple times)
Bounty:250$
Hope it helped to learn something!
Happy hunting
Its me shesha sai_c