Weak session validation bug let you login even after changing the session IDs and logging out from the accounts

Hi friends,

While searching for bounties, I found an interesting bug which gave me $200 and it was a cool one. It was a logical bug and I learnt that we must see the session IDs while hunting for bugs.

So, I was hunting on a Hackerone and chose a random program. It was viator.com. So I started checking into logical bugs and suddenly I thought about creating two different accounts and play with them. What I did is, I exchanged the session ID of each other and still able to login. The worst part was it was working even after 4 hours once we logout and quit the browser.

So, here are the steps:-

  1. Create two accounts on Viator.com
  2. Login with both of them in different tabs.

3. Capture the request in burp after logging in for both of the accounts. Send the request to repeater

4. Now, you can logout from both of the accounts. Clear the cookie and quit the browser.

5. In burp, exchange the session ID of the first account with another one. Once you check the response, you would be able to login successfully with the first account.

:-)

So, it was a 10 min bug and you just need to observer the things closely. Bugs are everywhere.

Peace:)

Follow me on twitter: @manas_hunter

LinkedIn:- https://www.linkedin.com/in/manas-harsh-05636a154

Information security consultant | Synack Red Teamer | Writer | Learner, achiever & Contributor