Hello hackers I’m Mostafa Elguerdawi, I will talk about one of my recent findings.
I will mention the vulnerable application as target.com
So, as normal I created account and logged in normal way, I started look around the application to get more info about it, Then I started to hunt on logic and access control vulnerabilities.
I went to /profile page and decided to test there, I tried a lot of attacks such as CSRF, SQL injection, and XSS, but no luck.
After while I decided to test Session misconfigurations.
Steps I did
I went to /profile page and in the same time make Intercept is on from Burp Suite.
I tried to change the email address from browser and catch the request from Burp and sent it to Repeater.
Went back to the browser and logged out from my account.
In normal the session must be expired and request that I sent to Repeater must be invalid and redirect me into /login page.
But when I went back into Repeater and change the email again I found there success.
For douple check I went to browser and logged in again and I found the email changed successfully.
What is the impact?
If an attacker manages to steal the session token or cookie of an active session, they can impersonate the user and gain unauthorized access to their account.