Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Account Takeover Methodologies

Aditya Shende
May 29, 2021
Technology
5
1.8k

Account Takeover Methodologies

Type of vulnerability that allows an attacker to gain an unauthorized and full control of the victim’s account without any need of credentials by exploiting the authentication flaw existing in the application.

Will look more into it

Aditya Shende

May 29, 2021
Tweet

More Decks by Aditya Shende

See All by Aditya Shende
Dependency Confusion
aditya45
2
1.8k
What_to_hunt_as_beginner....pdf
aditya45
5
3.6k
Hunting Headers for SSRF
aditya45
5
5.5k
Abusing functions for bug bounty
aditya45
6
4.9k
Github Recon and way to process
aditya45
5
3.6k
2FA bypassing for bug bounties
aditya45
6
2.7k
Approach to learn and time management for bug bounties
aditya45
3
2.6k
Bug Bounty Tips by Aditya Shende aka Kong
aditya45
5
4.9k

Other Decks in Technology

See All in Technology
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
800
Building a RAG-powered AI chat app with Python and VS Code
pamelafox
0
100
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
480
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
4
16k
web-application-security
matsuihidetoshi
0
170
IaCジェネレーターとBedrockで詳細設計書を生成してみた
tsukasa_ishimaru
2
280
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
160
生成AIの変革の時代に、 直近1年で直面した課題とその解決策
ktc_wada
0
330
反実仮想機械学習とは何か
usaito
PRO
11
4.7k
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
3
360
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
360
Gitlab本から学んだこと - そーだいなるプレイバック / gitlab-book
soudai
4
440

Featured

See All Featured
WebSockets: Embracing the real-time Web
robhawkes
59
7k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Scaling GitHub
holman
457
140k
4 Signs Your Business is Dying
shpigford
175
21k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Docker and Python
trallard
34
2.7k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
322
20k
Six Lessons from altMBA
skipperchong
21
3k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k

Transcript

  1. ACCOUNT HIJACKING METHODOLOGIES ADITYA SHENDE

  2. Indian Bounty Hunter: Bugcrowd Biker Agri10x Red Team Ops WHOAMI

  3. Account Takeover ? This is a sort of vulnerability that

    allows an attacker to take full control of a victim's account without requiring any passwords by exploiting an authentication fault in the application.

  4. Methods or Test Cases Recent Finding: Host Manipulation Parameter Pollution

    Password Reset Poisoning IDOR to reset password of any user 1. 2. 3. 4.

  5. 1G 2G 3G 4G 5G Understand mechanism of reset function

    Analyse reset link In request try to add hosts with headers Analyse Response Tamper response if needed 1 2 3 4 5 Host Manipulation
  6. None
  7. None

  8. Parameter Pollution HTTP Parameter Pollution, as implied by the name,

    pollutes the HTTP parameters of a web application in order to perform or achieve a specific malicious task Example: Reset password or Send OTP While sending OTP or reset link there are params like ph_no , email_id ph_no=1234567890&ph_no=0000124563 [email protected]&[email protected] 1. 2. 3.
  9. None

  10. Password Reset Poisoning Application usually generate a secret token by

    using host header functionality. To create the password reset link they use domains mentioned in the host header and append it with the password reset token.

  11. POST /passwords/forgot HTTP/1.1 Host: dashboard.target.com X-Forwarded-Host: burplink.net User-Agent: Mozilla/5.0 (Windows

    NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9 ,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate C
  12. None

  13. Request Reset Link Open Link Capture password change request Tamper

    it Smart attack = $$$$ IDOR to reset password of any user

  14. {“email”:”[email protected]”,”password”:”new_passwd”,”confirmPassword ”:”new_passwd”} there is a changable parameter which is email,

    therefore the attacker proceeds to edit the parameters in the following way: {“email”:”[email protected]”,”password”:”new_passwd”,”confirmPassword”: ”new_passwd”} The attacker has changed the parameter email by just changing the attacker’s email by the victim’s email.
  15. None
  16. None