Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Account Takeover Methodologies

Account Takeover Methodologies

Type of vulnerability that allows an attacker to gain an unauthorized and full control of the victim’s account without any need of credentials by exploiting the authentication flaw existing in the application.

Will look more into it

B46a00cafe34a9437d3a5bc6afc5bee3?s=128

Aditya Shende

May 29, 2021
Tweet

Transcript

  1. ACCOUNT HIJACKING METHODOLOGIES ADITYA SHENDE

  2. Indian Bounty Hunter: Bugcrowd Biker Agri10x Red Team Ops WHOAMI

  3. Account Takeover ? This is a sort of vulnerability that

    allows an attacker to take full control of a victim's account without requiring any passwords by exploiting an authentication fault in the application.
  4. Methods or Test Cases Recent Finding: Host Manipulation Parameter Pollution

    Password Reset Poisoning IDOR to reset password of any user 1. 2. 3. 4.
  5. 1G 2G 3G 4G 5G Understand mechanism of reset function

    Analyse reset link In request try to add hosts with headers Analyse Response Tamper response if needed 1 2 3 4 5 Host Manipulation
  6. None
  7. None
  8. Parameter Pollution HTTP Parameter Pollution, as implied by the name,

    pollutes the HTTP parameters of a web application in order to perform or achieve a specific malicious task Example: Reset password or Send OTP While sending OTP or reset link there are params like ph_no , email_id ph_no=1234567890&ph_no=0000124563 email_id=victim@gmail.com&email_id=attacker@gmail.com 1. 2. 3.
  9. None
  10. Password Reset Poisoning Application usually generate a secret token by

    using host header functionality. To create the password reset link they use domains mentioned in the host header and append it with the password reset token.
  11. POST /passwords/forgot HTTP/1.1 Host: dashboard.target.com X-Forwarded-Host: burplink.net User-Agent: Mozilla/5.0 (Windows

    NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9 ,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate C
  12. None
  13. Request Reset Link Open Link Capture password change request Tamper

    it Smart attack = $$$$ IDOR to reset password of any user
  14. {“email”:”attacker_account@test.com”,”password”:”new_passwd”,”confirmPassword ”:”new_passwd”} there is a changable parameter which is email,

    therefore the attacker proceeds to edit the parameters in the following way: {“email”:”victim_account@test.com”,”password”:”new_passwd”,”confirmPassword”: ”new_passwd”} The attacker has changed the parameter email by just changing the attacker’s email by the victim’s email.
  15. None
  16. None