Web3 security will be the future of bug bounty.
For a small bug on web3, you could got 2x comparing a medium or high severity bug on web.
The vulnerability is fixed so now, I can disclose the target. First response from the target[Kraken]-
Today I will tell you, how I secured $500 from a rate limit bypass.
How it started-
I was working as web pentester intern at a company. My boss gave me a target to hunt, unfortunately it was a public 😂 crypto program.
Initial Phase-
As you all know crypto targets are very secure and the chance of getting a bug is 0.000001% but something is better than nothing 🤫
I tried every possible way to find at least a single bug but nothing worked. I reported a bug called- password reset token not expiring after issuance of new one
But it got N/A 🤖
The Bug 🤑-
After trying several things I reached to the forgot password functionality to check for password reset poisoning but the functionality was safe from it.
I also checked for email triggering i.e., no rate limit on requesting password reset links.
But after every 5 attempts the account got locked for 3 minutes 🥴
I tried a simple bypass i.e., adding null characters after the email- e.g. \n \0 \x00 %0 etc., but nothing worked.
You should try all these.
The Bypass 😈-
After trying above bypasses, another bypass hit my mind- add a space after the email.
And ya that worked for me…😇
Steps to reproduce-
1. Intercept the forgot password request.
2. Send it to repeater, forward it, you will get the response that link to reset is sent ,forward it 4 times more, everything will be fine till here i.e., till now you received 5 password reset links in email. Now send one more time and you will be blocked for 3 minutes.
3. Now add a space after the email i.e.,
email=’email@gmail.com ‘ [see the space before the last quote in the email].
4. Send the above request 5 times, you will get 5 more links in the email and after that again you will be blocked.
5. Repeat step 3 i.e., add another space and in this way, adding a single space after every 5 attempts we have successfully bypassed the no rate limit.
Report ☠️-
I prepared a report and I haven’t used intruder for the POC. I just did what I showed you in steps to reproduce above. And after 3 days I got the email which I showed you above that I was awarded $500 and they assigned it low severity because a user can block these emails.
NOTE 💸-
If you’re interested in crypto and want to mine, Pi Network is a mobile app that lets you mine a new cryptocurrency called Pi directly from your phone.
Features-
Low Battery Usage
Minimal Data Usage
Passive Mining
User-Friendly Interface
No Overheating Issues
Boost your mining 4x with my invite code ➡ ️mineWi3Me
Link- https://minepi.com/mineWi3Me
Thanks for reading 🌹
#bugbounty #vulnerability #crypto #hacking