Member-only story
how i found the “Insufficient Authorization in Password Change Endpoint” vulnerability ?
Hi everyone i am back with another writeup. sorry for delay
recently i started my web3 learning journey, due to this little busy.
this time i coming with “no proper validation on password change”
i was reported this vulnerability . its valid bug.
but i got duplicate…………
but i will explain here how i found that bug?
actually i am not hunt on hackerone. due to mostly i got duplicates.
mostly i hunt on self hosted bug bounty programs. For beginner its
best choice to hunt on self hosted programs.
ok,coming to your topic.,
lets name it as “ahrcv.com” it has login function.
i was registered with mail id as normal user.
when i visited the profile section, it has password changing
option. check below image.
so i entered the wrong old password and entered new password.
then i capture the request using burpsuite.
the request was: