BugCrowd Bug Bounty Disclosure: – Login Capctha Bypass – By mewtw0

The below information is fully automated and the information is captured from the BugCrowd Disclosure website. The information was correct at the time of posting.

Program


Program Information

tesla

tesla

Details


Additional Information

  • Priority:

Step 1 Create to create a user. Then the captcha screen will appear. Be prepared to proxy the request with the burp suite tool here. Enter the correct captcha, catch the request, username etc. information comes with the token. Then forward the request and you will see the captcha request. See the post with the do intercept feature. In a successful request, display the true text with token in json format. And save it somewhere.Step 2Try to create a user again and your name and surname will be different, so the token will also change. . Enter the wrong captcha and catch the request. Forward the first request, view the next site, the captcha will appear, display the response with the do intercept feature, the server will say that the captcha is wrong. Edit this request as ussage in the previous json to write true before and check the toke and send the request captcha will be bypassed. Continue the registration flow and the account will be successfully created despite the wrong captcha being provided. The vulnerability here is actually that the call to finalize the registration didn’t have the proper session check

Submitted By


Submitter Information

  • Hacker Points: 3
  • Hacker Accuracy: 66.7%
  • Hacker Rank: N/A

mewtw0

 


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn