This Write-Up describes How we could Takeover any account on a site using some misconfigurations in Change-Password Functionality.
We were testing a private program so let’s call it site.com, so let’s start our Journey.
While going throw the sandbox environment that is for testing porous (sandbox.site.com) we notice a change password function.
So we opened the Burb-Suite and intercept the request looking for any issue and we catch this request and start analyzing it
So as you can see we found this Header…