Bug Bounty Tip: Utilizing JSON and Lists for ATO Testing
The bug bounty tip of this week comes from Mohamed Reda.
When testing a login functionality during a bug bounty program, utilizing JSON and lists can help uncover potential Account Takeover (ATO) vulnerabilities. This technique involves manipulating the request payload to test the system’s response to list-type inputs.
Procedure
1. Modify Request Body
Change the request body to JSON format and structure it to accept lists for the email and password fields.
From:
{
"email": "email",
"password": "password"
}
To:
{
"email": [
"email1",
"email2"
],
"password": [
"password1",
"password2"
]
}
2. Test for ATO Vulnerabilities
a. Single Password Test
- Utilize a list of emails and try a single password across all emails. Verify if any email-password combination allows successful login.
b. Brute Force Test
- Use a list of emails and a list of passwords.
- Employ an Intruder tool to systematically perform a brute force attack.
- Check for successful logins using different email and password combinations.
Please Note
Always conduct security testing within the scope of the bug bounty program and with explicit authorization. Respect ethical guidelines and adhere to responsible disclosure practices when identifying and reporting vulnerabilities.
This approach helps uncover potential vulnerabilities in the login process, ensuring a thorough security assessment and contributing to a more secure system.
Get Popular with BugBounter!
Get featured on BugBounter with your bug bounty tip. Sign up on BugBounter as a cybersecurity researcher today, and contact our Community Manager Salih with your username on BugBounter via their email, [email protected].