Sunday, 26 October 2025

Friday Fun Pentest Series - 43 - Current Password not Required When Changing Password - totaljsv5013

Description

- It was noted that the application password change functionality did not require the current password for the user to change their password


Current Password not Required When Changing Password

Steps to Reproduce:
  1. Login with user and click on profile icon
  2. Select "Change Credentials"
  3. The user would not be required to enter current password for updating their password

// HTTP POST Request - Changing Password

POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]

{"schema":"admin_save","data":{"name":"John Connor","login":"gz82g8WYq3","password":"Passw0rd!"}}


// HTTP Response - Changing Password

HTTP/1.1 200 OK
set-cookie: NPgdS=13030-39383d41540751460a15064b0f7449766a261756481745550d1f5f05414b061f5e6456343a630323750702160307415f584656405e390e3e38360e591d471c0619711511121d111f4f3a023530306156510b014f0d5045; Expires=Wed, 26 Nov 2025 16:25:39 GMT; Path=/; SameSite=Lax
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:25:44 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 16

{"success":true}

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 46 - Stored Cross-Site Scripting (XSS) via SVG File Upload - totaljsv5013

Description - It was noted that the applications file upload functionality was vulnerable to Stored Cross-Site Scripting (XSS) via an SVG im...