Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Account Takeover Methodologies

Aditya Shende
May 29, 2021
Technology
5
1.8k

Account Takeover Methodologies

Type of vulnerability that allows an attacker to gain an unauthorized and full control of the victim’s account without any need of credentials by exploiting the authentication flaw existing in the application.

Will look more into it

Aditya Shende

May 29, 2021
Tweet

More Decks by Aditya Shende

See All by Aditya Shende
Dependency Confusion
aditya45
2
1.9k
What_to_hunt_as_beginner....pdf
aditya45
5
3.7k
Hunting Headers for SSRF
aditya45
5
5.9k
Abusing functions for bug bounty
aditya45
6
5.1k
Github Recon and way to process
aditya45
5
3.6k
2FA bypassing for bug bounties
aditya45
6
2.7k
Approach to learn and time management for bug bounties
aditya45
3
2.6k
Bug Bounty Tips by Aditya Shende aka Kong
aditya45
5
5k

Other Decks in Technology

See All in Technology
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
170
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.2k
DMARC 対応の話 - MIXI CTO オフィスアワー #04
bbqallstars
1
160
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k
AIチャットボット開発への生成AI活用
ryomrt
0
170
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
200
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
Taming you application's environments
salaboy
0
180
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
2
590
TypeScript、上達の瞬間
sadnessojisan
46
13k
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
2
520

Featured

See All Featured
Designing for Performance
lara
604
68k
Done Done
chrislema
181
16k
Six Lessons from altMBA
skipperchong
27
3.5k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
BBQ
matthewcrist
85
9.3k
Visualization
eitanlees
145
15k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Happy Clients
brianwarren
98
6.7k
Optimizing for Happiness
mojombo
376
70k
Side Projects
sachag
452
42k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k

Transcript

  1. ACCOUNT HIJACKING METHODOLOGIES ADITYA SHENDE

  2. Indian Bounty Hunter: Bugcrowd Biker Agri10x Red Team Ops WHOAMI

  3. Account Takeover ? This is a sort of vulnerability that

    allows an attacker to take full control of a victim's account without requiring any passwords by exploiting an authentication fault in the application.

  4. Methods or Test Cases Recent Finding: Host Manipulation Parameter Pollution

    Password Reset Poisoning IDOR to reset password of any user 1. 2. 3. 4.

  5. 1G 2G 3G 4G 5G Understand mechanism of reset function

    Analyse reset link In request try to add hosts with headers Analyse Response Tamper response if needed 1 2 3 4 5 Host Manipulation
  6. None
  7. None

  8. Parameter Pollution HTTP Parameter Pollution, as implied by the name,

    pollutes the HTTP parameters of a web application in order to perform or achieve a specific malicious task Example: Reset password or Send OTP While sending OTP or reset link there are params like ph_no , email_id ph_no=1234567890&ph_no=0000124563 [email protected]&[email protected] 1. 2. 3.
  9. None

  10. Password Reset Poisoning Application usually generate a secret token by

    using host header functionality. To create the password reset link they use domains mentioned in the host header and append it with the password reset token.

  11. POST /passwords/forgot HTTP/1.1 Host: dashboard.target.com X-Forwarded-Host: burplink.net User-Agent: Mozilla/5.0 (Windows

    NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9 ,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate C
  12. None

  13. Request Reset Link Open Link Capture password change request Tamper

    it Smart attack = $$$$ IDOR to reset password of any user

  14. {“email”:”[email protected]”,”password”:”new_passwd”,”confirmPassword ”:”new_passwd”} there is a changable parameter which is email,

    therefore the attacker proceeds to edit the parameters in the following way: {“email”:”[email protected]”,”password”:”new_passwd”,”confirmPassword”: ”new_passwd”} The attacker has changed the parameter email by just changing the attacker’s email by the victim’s email.
  15. None
  16. None