Broken Cryptography & Account Takeovers

40301c0affdf359eaca771713e22b71a?s=47 Harsh Bothra
September 20, 2020

Broken Cryptography & Account Takeovers

Applications still utilize weak cryptography generation methodologies which may lead to severe risk. In the world of Application Security, looking for all possible points to enumerate and find out how secrets, token and encryption is happening always gives an edge. Broken & Weak Cryptography can lead severe impact and account takeover is one of them. Account takeovers involve gaining persistence access to the victim account impacting CIA completely. However, Both Broken Cryptography and Account Takeover are not just limited to a few attack vectors. In this talk, I will discuss:
1. Broken Cryptography 101
2. Endpoints to Test for Broken Cryptography
3. Quick Overview of How to test each Endpoint
4. Account Takeovers 101
5. Various Methods of Performing Account Takeovers
6. Case Studies of Real-Life Findings:
a. Broken Cryptography to Account Takeover
b. CSRF to Account Takeover
c. XSS to Account Takeover & Privilege Escalation
d. IDOR to Account Takeover
e. Account Takeovers in Password Reset Links

40301c0affdf359eaca771713e22b71a?s=128

Harsh Bothra

September 20, 2020
Tweet

Transcript

  1. Broken Cryptography & Account Takeovers By: Harsh Bothra

  2. About Me! • Cyber Security Analyst @Detox Technologies • Synack

    Red Teamer • Bugcrowd Top 150 & MVP 2020 Q1-Q2 • Author – Hacking: Be a Hacker with Ethics (GoI R’cmd.) • Author – Mastering Hacking: The art of Information Gathering & Scanning • Speaker @Multiple Security Confs & Chapters • Blogger @Medium | Youtube @Detox Technolgoies • Poet | Writer | Learner @harshbothra_
  3. Agenda Broken Cryptography 101 Endpoints to Test for Broken Cryptography

    Account Takeovers 101 Ways to Test for Account Takeovers Real Life Findings – Case Studies Hack’0’Hacktricks Q/A @harshbothra_
  4. Broken Cryptography 101 @harshbothra_

  5. 100 ft overview of Cryptography • A practice to encrypt

    data transmitted between two or more parties to ensure secure communication. • Various encoding & encryption algorithms are available to perform cryptography. • Cryptography is of two parts: Symmetric & Asymmetric • Cryptography is widely used and is one of the base of computer applications. • Cryptography can be seen in various parts of application like password reset token, encrypted path, hardcoded secrets, cookies, API Keys, Authentication Token and others. @harshbothra_
  6. Broken Cryptography @harshbothra_

  7. Less Travelled Road : Where to Look • Session Cookies

    • Encoded Paths & Parameters • Hardcoded Secrets in JS Files • Password Reset Links • CSRF Tokens • Authenticity Tokens • Encrypted Data • Username/Passwords • and many other endpoint depending upon the application use-case. @harshbothra_
  8. Account Takeovers @harshbothra_

  9. Ways to Perform Account Takeover CSRF XSS Broken Cryptography IDOR

    Session Hijacking Session Fixation Predictable Identifiers Security Misconfiguration Direct Request Missing Authorization Checks OAuth Misconfiguration @harshbothra_
  10. Case Studies @harshbothra_

  11. Broken Cryptography to Account Takeover @harshbothra_

  12. @harshbothra_

  13. @harshbothra_

  14. CSRF & Client Side Validation Bypass to Account Takeover @harshbothra_

  15. @harshbothra_

  16. @harshbothra_

  17. @harshbothra_

  18. Cross-Site Scripting to Admin Session Hijacking & Privilege Escalation @harshbothra_

  19. @harshbothra_

  20. @harshbothra_

  21. @harshbothra_

  22. IDOR in Cookies to Account Takeover @harshbothra_

  23. Scenario • Login as a victim user and capture the

    request with Burp. • In Cookies section there was a ROLE parameter which has a two-digit value 00. • Create an admin account and observe that now ROLE value in cookies is 11. • Upon further inspection and mapping User Role & Permission Matrix. I observed that the application uses binary bits for role definition. • 00 : User • 11 : Admin @harshbothra_
  24. IDOR in Password Reset to Account Takeover @harshbothra_

  25. Scenario • Password Reset page is Vulnerable to Host Header

    Attack. • Request a password reset link with malicious origin. • Victim will receive a password reset link with malicious origin like: Original Link: https://original_target.com/reset/token/<token_here> Spoofed Link: https://malicious_target.com/reset/token/<token_here> • Now set up a logger at attacker controlled malicious_target.com • Once the victim clicks on the password reset link, the token will be logged to malicious_target.com • Token has no expiry and thus attacker can utilize the token to reset the password. @harshbothra_
  26. Q/A’s are welcome… @harshbothra_

  27. Get in Touch • Twitter : @harshbothra_ • LinkedIn :

    @harshbothra • Instagram : @harshbothra_ • Medium : @hbothra22 • Website : https://harshbothra.tech • Slides : https://www.speakerdeck.com/harshbothra • Email : hbothra22@gmail.com @harshbothra_
  28. Thanks… ☺