Change the Business Logic through XPI
I am going to share one of my good and logical finding which is change the business logic through the XPI (Extra Parameter Injection) vulnerability.
During the testing, I have observed that in profile setting page I can only change my First Name, Last Name and Password. I can also change my email address by clicking the link “Change my email address” but this is totally a different module where I have to update a new email address and then verify the same.
So, Is this possible to bypass the email verification process?
Here I am going to show you that how I can able to bypass this email verification process.
Below we can see the profile setting page. Fill up the required details and click on “Update my account”
Intercept the request using BURP proxy and observe the POST request.
Inject a new parameter user[email] and its value as a new email address let’s say firstname.lastname@example.org into this POST request and forward this request.
Note:- If we go through the “Change my email address” module then we have to verify the new email address which is email@example.com But using this vulnerability we can able to bypass this verification process.
As we can see the Profile was updated with the new email address.
Navigate to Login page and try to login into the application with new email address.
As we can see the Login successful. No need to verify the new email address. Here we can use any organisations’ email address.
This vulnerability was quickly fixed by the company and rewarded a good bounty also.