Assalam-O-Alaikum fellas hope you all are fine, it has been a while I've not contributed to the community so, today I will share chained bugs which led to account takeover. The program doesn't allow public disclosure so I will set the name, to chintu.com. First I will explain how I was able to get the IDOR and then how the account takeover part has taken place via XSS so, let's get started.
The bug I reported was an IDOR with which, I was able to change the profile data but not the primary email which is used to login to an account, so I saw another field the secondary email, I thought maybe this email could be used to login to the account I didn’t try it and reported to the chintu.com, with the title [ Critical ] IDOR leads to Account TakeOver, After few days the report was Triaged and I was so happy, within few days I got a reply with $1250 bounty, but suddenly on the same day the ASE change the reward to 200$ and set the priority to P4 and created a blocker to answer their question. the argument was.
I was so mad about the reward, so I started digging the application and while doing further recon and testing I came across an endpoint which was showing the latest profile points where the username was reflected and was not sanitized properly, I thought let's try XSS and I succeeded, what I did was change the username field via IDOR with the XSS payload and sent the Auth token to my server via XSS, after reporting this to the chintu.com their reply was.
Always try harder, thanks for reading.