Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Account Takeovers Webinar

Ninad Mathpati
December 19, 2020

Account Takeovers Webinar

These slides are from the live webinar organised by ResetHacker community, here I have discussed the ways to find account takeover vulnerabilities.

Ninad Mathpati

December 19, 2020
Tweet

More Decks by Ninad Mathpati

Other Decks in Technology

Transcript

  1. Account Takeovers
    By – Ninad Mathpati
    RESETHACKER community is India's crowdsourcing community of action for professionals, researchers,
    ethical hackers, developers, students and hobbyists interested in learning, sharing & collaborating.
    www.resethacker.com

    View Slide

  2. Whoami?
    2
    www.resethacker.com
    ⬡ Application security engineer @ArisGlobal.
    ⬡ Security Researcher @Synack, @Bugcrowd.
    ⬡ Featured by Bugcrowd in their Researcher
    Spotlight.
    ⬡ Hacker with an ethical bent of mind.
    ⬡ Developer with skills.
    ⬡ Known as Hacker2202.
    ⬡ Find more details about me & my work @
    ninadmathpati.com

    View Slide

  3. Disclaimer
    ⬡ Nothing presented here in todays session gives you permission to
    hack.
    ⬡ Always hack with proper approvals.
    ⬡ Use this knowledge for educational purpose only.
    3

    View Slide

  4. “Create your own path and live it.
    By – Ninad Mathpati
    4
    www.resethacker.com

    View Slide

  5. 5
    ⬡ Here we would be discussing about
    the Account takeover vulnerabilities.
    ⬡ Ways to achieve that.
    ⬡ Report Writing.
    ⬡ Q&A

    View Slide

  6. What is Account Takeover?
    ⬡ Also know as ATO.
    ⬡ It’s a vulnerability where attacker tries to
    gain unauthorized access to the victims
    account.
    ⬡ Many ways to achieve that, mostly using
    chaining of bugs.
    www.resethacker.com

    View Slide

  7. Methods? ATO’s can be achieved
    ⬡ CSRF
    ⬡ Cryptographical errors
    ⬡ XSS
    ⬡ IDOR
    ⬡ OAuth Misconfiguration
    ⬡ Hard coded info (GitHub, JS files, comments)
    ⬡ Business logic errors.
    7
    www.resethacker.com
    ⬡ Request smuggling
    ⬡ Host Header Injections
    ⬡ Parameter Pollution.
    ⬡ CRLF injections

    View Slide

  8. Account takeover
    via
    CSRF Attacks
    8
    www.resethacker.com

    View Slide

  9. What is CSRF Attack?
    ⬡ Here in this vulnerability attacker is able to trick the victim into making a request
    that the victim does not intend to make.
    ⬡ This vulnerability refers to an attack against authenticated web applications using
    cookies.
    ⬡ The level of the attack is based upon the level of privileges that the victim
    possessed.
    9

    View Slide

  10. Scenario
    ⬡ There was a scenario, where password reset of account was possible using two
    ways
    ∙ Requesting a password reset link to the registered email.
    ∙ Resetting the password by answering the security questions of the user.
    ⬡ Security measures such as CSRF token, requesting to confirm old password
    before making changes were in place.
    ⬡ Still account takeover was possible here.
    10

    View Slide

  11. Additional to CSRF the
    application was confirming
    current password before
    making any change

    View Slide

  12. How it was possible?
    ⬡ Since CSRF Protection was every where and over to that the application was
    confirming the changes using current password.
    12

    View Slide

  13. ⬡ After trying every bypassing techniques to bypass the confirm password, I
    thought to recheck the registration workflow.
    ⬡ There after logging in with new account, the application was asking to set
    security Q&A.
    ⬡ Just gave some random answers to random questions and captured the request
    in Burpsuite.
    ⬡ Now to bypass the confirm current password, I used some parameters from that
    request.
    ⬡ I altered the myprofile page CSRF POC by replacing some parameters, with the
    above request which I got while setting up the new security Q&A.
    13

    View Slide

  14. ⬡ The new POC which was created something like below shown,
    ⬡ The altered POC worked & helped in changing the email and security Q & A.
    ⬡ Using the changed the Security Q&A, I was able to change the password of any
    account.
    14

    View Slide

  15. Other ways to bypass CSRF and achieve ATO
    15
    ⬡ There are many other ways to bypass CSRF, you can refer to my security
    workbook @ info.ninadmathpati.com

    View Slide

  16. Account takeover via
    Business Logic
    Vulnerability
    16
    www.resethacker.com

    View Slide

  17. What are Business Logic Vulnerabilities?
    ⬡ These flaws are in the design and implementation of an application that allow an
    attacker to elicit unintended behavior.
    ⬡ It is a functionality that is part of a legitimate workflow, but it can be used for
    malicious intent.
    17

    View Slide

  18. Scenario
    ⬡ There was a scenario, where password reset of account was possible via
    requesting a password reset link to the registered email.
    ⬡ There was an application say xyz, I created my account on the application.
    ⬡ I tried to reset my account password using forgot password functionality.
    ⬡ The application was using token implementation while resetting the passwords.
    ⬡ I tried to get a password reset link for my account, the link was such as
    18

    View Slide

  19. ⬡ Now once the URL is loaded in the browser, it was working in the meant way. I
    was able to reset my password.
    ⬡ Here in the given link, there was an email parameter, I tried changing it with the
    victim's email.
    ⬡ After the change, once the URL is loaded in the browser, the application was
    asking for 2fa code associated with the victim's account.
    ⬡ And parallelly it was sending a new password reset link to the both the mails
    (Victims mail id and attackers mail id)
    ⬡ That password reset link was of victim’s account.
    ⬡ As I had the new reset link, I was able reset password of any account on the
    application
    19

    View Slide

  20. Default Link
    Altered Link

    View Slide

  21. Account takeover via
    OAuth Vulnerabilities
    21
    www.resethacker.com

    View Slide

  22. What is Oauth?
    ⬡ While browsing the web, you've almost certainly come across sites that let you
    log in using your social media account.
    ⬡ OAuth is an Authorization framework.
    ⬡ It’s framework that enables websites and web applications to request limited
    access to a user's account on another application.
    ⬡ It allows the user to grant the access to his details without exposing their login
    credentials to the requesting application.
    22

    View Slide

  23. 23
    Authorization
    Server
    Client
    (XYZ)
    User
    Please provide me the access token
    Access token Provided
    1
    2
    3
    4
    Auth server generates
    the access token
    Resource Server
    5
    6
    Resource server
    verifies the access
    token and provides
    data
    Oauth Workflow
    Client Application
    Resource Owner
    Oauth Service Provider

    View Slide

  24. 24
    www.resethacker.com
    ATO’S using OAuth
    ⬡ There are many misconfiguration in Oauth, we would be looking for
    redirect_uri misconfiguration and exploiting state parameter which could lead
    to ATO’s.
    ∙ Weak redirect_uri misconfiguration :- Here the redirect_uri is vulnerable to
    open redirect vulnerability, this vulnerability leads the attacker stealing the
    victims access token to the website.
    ∙ Improper handling of state parameter : - Here the State parameter in
    implemented to protect from CSRF attacks, if that state parameter is not
    implemented, attacker could try to escalate the issues by taking over the
    victims account.

    View Slide

  25. 25
    www.resethacker.com
    Oauth URL redirect Misconfiguration
    ⬡ Here if we changed the “redirect_uri” value to attacker-controlled server.
    ⬡ The result of this request would be the access token when generated it would be
    passed to the attacker-controlled server.
    ⬡ The access token would be passed in the Referer header, as it contains the address of
    the previous web page.
    Vulnerable redirect_uri
    parameter

    View Slide

  26. 26
    www.resethacker.com
    Oauth state parameter Misconfiguration leading to CSRF attack
    ⬡ In Oauth configuration, there’s a state parameter which protects requests form CSRF
    attacks.
    ⬡ In this vulnerability attacker get a site where Oauth functionality is implemented and
    tries to login to his Facebook account.
    ⬡ After his approval to approve the access to his account, he can intercept the next
    request containing the Auth code and check if state parameter is missing.
    ⬡ If it is missing the attacker can generate a CSRF POC for that request and forward it
    to the victims.
    ⬡ As the victims clicks on the links, the attackers account gets his fb account linked to
    the victims account.

    View Slide

  27. 27
    www.resethacker.com
    State parameter not
    available
    If the user approves the request from fb to allow the
    client to access the user's personal information
    Attacker can generate
    CSRF POC for this
    request and pass it to
    the victim.
    Once the victim click on the malicious link sent
    by the attacker, the attackers FB account will be
    added to the victim's account
    Attacker Clicks
    here

    View Slide

  28. Account takeover via
    IDOR
    28
    www.resethacker.com

    View Slide

  29. What are IDOR Vulnerabilities?
    ⬡ It is a type of access control vulnerability.
    ⬡ This kind of vulnerability arises when a user-supplied input is used to access data
    directly.
    ⬡ Here in the above case if the value “1234” is changed to something else, there’s a
    possibility to get the data of that user.
    29

    View Slide

  30. Scenario
    ⬡ I was working on android application, while looking for vulnerabilities using
    Burpsuite, got to know I needed to bypass the SSL pinning implemented.
    ⬡ Using Frida, the SSL pinning was bypassed.
    ⬡ In myprofile page, there was a request such as,
    ⬡ Anyone can clearly say that there might be IDOR at the highlighted end-point.
    ⬡ The application was vulnerable to IDOR, I was able to get access to the data of
    any user just by changing the numeric value.
    30

    View Slide

  31. How ATO can be achieved in this scenario?
    ⬡ If you give a closure look, you might see that request is sent over GET method.
    ⬡ If we change that to OPTIONS method, we will know what methods application
    is supporting in this request.
    ⬡ To my surprise I got to know PUT and DELETE methods were allowed.
    31
    Request Response

    View Slide

  32. ⬡ To do a full ATO, I can use the PUT method to add the content.
    ⬡ Content can be anything such as I can alter the email id or even better, I can
    simply change the account password only.
    ⬡ This was a full account ATO of one user.
    32

    View Slide

  33. Can we escalate it further? Can we takeover 100 accounts at a time
    33
    ⬡ Yes, we can escalate it further, what if we brute force the ID parameter.
    ⬡ Here Instead of email change I can directly change the password of all the
    accounts.
    ⬡ That’s what I did and within 10 mins I was able takeover near to 100 accounts.
    ⬡ If needed I would have taken over all the users in the application in few hours.

    View Slide

  34. 34

    View Slide

  35. 35
    Quick Discussion on
    report writing

    View Slide

  36. How can one write a better report?
    ⬡ I believe report writing is important as finding bugs in the application.
    ⬡ If we can’t explain the issues in the proper way there is no use in finding that
    bug.
    ⬡ As for me all these fields should be there while drafting a report
    ∙ Vulnerability Name
    ∙ Vulnerability Description
    ∙ Vulnerable URL/Endpoint
    ∙ Severity
    ∙ Payload
    ∙ Steps to Reproduce
    ∙ Impact
    ∙ Remediation
    ∙ References
    36

    View Slide

  37. Report Templates
    37

    View Slide

  38. 38
    References
    Info.ninadmathpati.com

    View Slide

  39. 39
    References
    http://juice-shop.herokuapp.com
    https://portswigger.net/web-security/all-labs

    View Slide

  40. 40

    View Slide

  41. 41
    ⬡ Twitter : @ninad_mathpati
    ⬡ Website : Ninadmathpati.com
    ⬡ Blog : Ninadmathpati.com/blog
    ⬡ LinkedIn : @ninad-mathpati

    View Slide

  42. Credits
    Special thanks to RESETHACKER for giving
    the opportunity to conduct this webinar.
    42
    www.resethacker.com

    View Slide

  43. 43

    View Slide