Tale of Chaining Bugs for Account Takeover

Transcript

1. T A L E O F C H A I N I N G B U G S
   F O R
   A C C O U N T T A K E O V E R S
   B Y : H A R S H B O T H R A
   

   View Slide

2. W H O A M I ?
   Application Security Enthusiast and Learner
   Triage @H1 | Core Lead Pentester @Cobalt.io
   | Community & Product Growth @Akto.io
   Author – 2 Books | Learn365 |
   SecurityExplained
   Blogger | Content Creator| Speaker
   Bugcrowd All Time Top 200
   

   View Slide

3. A G E N D A
   Account
   Takeovers –
   Vulnerability
   Class or Impact?
   Ignored
   Vulnerabilities –
   Low Hanging
   Fruits
   Tale of Chaining
   Bugs for
   Account
   Takeovers
   

   View Slide

4. P O L L O N T W I T T E R
   @ H A R S H B O T H R A _
   A C C O U N T TA K E O V E R S
   V U L N E R A B I L I T Y C L A S S
   O R
   I M P A C T ?
   

   View Slide

5. I G N O R E D V U L N E R A B I L I T I E S – L O W
   H A N G I N G F R U I T S
   Open Redirection CRLF Injection GraphQL Introspection
   Missing Cookie Security
   & HTTP Security
   Headers
   Host Header Injection
   API Fuzzing (Lack of
   Rate Limit on Path)
   Lack of Server-Side
   Validation
   External SSRF
   Prototype Pollution
   Deeplink
   Misconfiguration
   OAuth Misconfiguration HTML Injection
   

   View Slide

6. T A L E O F
   C H A I N I N G
   B U G S F O R
   A C C O U N T
   T A K E O V E R S
   GraphQL Introspection to
   Account Takeover
   Host Header Injection to Account
   Takeover
   CRLF to XSS leading to Account
   Takeover
   Open Redirection to Account
   Takeover
   

   View Slide

7. G R A P H Q L I N T R O S P E C T I O N T O
   A C C O U N T TA K E O V E R
   Bug Description:
   - The application allowed an unauthenticated user to access and run Introspection Queries
   (Informative – In General).
   - After digging and visualising their GraphQL operations, I found a couple of interesting
   operations allowing to Get User ID by Email and Generate Auth Token using Email.
   - Authenticated with Attacker User and Performed the Operation using /graphql endpoint to
   query victim user's ID and later tried using it to get the Auth token but it didn't work.
   - Next, tried Logical Manipulation (or Parameter Pollution) and supplied IDs like attackerId,
   victimId and it returned Victim's Auth Token.
   

   View Slide

8. G R A P H Q L I N T R O S P E C T I O N T O
   A C C O U N T TA K E O V E R ( C O N T ' D. . . . )
   Bug Description (Cont'd...):
   - Using victim's auth token, changed their email address to Attacker Controlled Email and
   reset their password and had full control of their account.
   Severity Bump: Informative to Critical
   Program & Platform: Private Program (Out of Platform)
   Reward Issued: $$$$$ (5-Digit)
   

   View Slide

9. H O S T H E A D E R I N J E C T I O N O N E M A I L
   C H A N G E T O A C C O U N T TA K E O V E R
   Bug Description:
   - The application shared the same interface for external and internal users. The point of validation
   was the internal user's had their accounts with @company.com and some extra privileges.
   - I had access to one of their GSuite account as part of a Pentest engagement.
   - I tried Host Header Injection (mainly on password reset as we all do) but no luck on any
   endpoints.
   - Next, I fuzzed the application using Collaborator Everywhere and observed that this email
   change endpoint was reflecting the External Host via X-Forwarded-Host header.
   - Using the attacker account (external user), I requested an email change for
   [email protected] with attacker controlled Host.
   

   View Slide

10. H O S T H E A D E R I N J E C T I O N O N E M A I L C H A N G E T O
    A C C O U N T T A K E O V E R ( C O N T ' D . . . )
    Bug Description (Cont'd...):
    - I was able to steal the confirmation token and use it to change email to my attacker (external
    user) account.
    - Relogged in and got the privileges escalated to internal user dashboard that allowed to reset
    the password for any external user.
    Result: Mass Account Takeover
    Severity: Critical
    Program and Platform: Private (Through Pentest)
    Award: Bonus in $$$$
    

    View Slide

11. C R L F T O X S S L E A D I N G T O A C C O U N T
    TA K E O V E R
    Bug Description:
    - The application was vulnerable to Self Cross-Site Scriptingvia Non-Existing Cookie
    Parameter. (Informative).
    - Fuzzed the application and found it vulnerable to CRLF Injection through double encoding.
    - Used CRLF Injection to Inject the Non-Existing Cookie Parameter and Created a PoC like:
    something.com/=cookie:
    - XSS was executed successfully (Medium)
    - Now, further created a PoC to steal session token as the JWT was passed in the Cookies as well
    and there was no HTTPOnly flag.
    - Successfully Hijacked User's Session – Changed Email – Reset Password – Full Account Takeover.
    

    View Slide

12. C R L F T O X S S L E A D I N G T O A C C O U N T T A K E O V E R
    ( C O N T ' D . . . )
    Result: Full Account Takeover
    Severity: Informative to Critical
    Program and Platform: Private
    Award: $$$$ + $$$ (Bonus)
    

    View Slide

13. O P E N R E D I R E C T I O N T O A C C O U N T
    TA K E O V E R
    Bug Description:
    - The application had multiple sub-applications and it used Auth Code to authenticate the sub
    applications and it was possible to access the sub-applications allowing account takeover.
    - The redirection to sub-application was using OAuth flow and had redirection parameter that
    sent the auth token to the sub-application
    - Found an open redirection that allowed to steal the auth token of the application.
    - Attacker was able to successfully access the sub application. (High)
    - Later, I also found an privilege escalation that allowed access from Sub-App to Main-App but
    that's a different Privilege Escalation Story.
    

    View Slide

14. O P E N R E D I R E C T I O N T O A C C O U N T T A K E O V E R
    ( C O N T ' D . . . )
    Result: LimitedAccount Takeover
    Severity: High
    Program and Platform: Private
    Award: $$$
    

    View Slide

15. O T H E R I N T E R E S T I N G AT O
    V E C T O R S
    • HTML Injection to AWS Metadata Leak leading to AWS Takeover
    • Insecure Deeplink allowing Account Takeover
    • Password Reset Poisoning to Account Takeover
    • Mass Assignment Leading to Account Takeover
    • IDOR leading to Account Takeover
    • Lack of Server-Side Validation in Email during Registration leading to Account
    Takeover
    

    View Slide

16. N E X T P L A N S ?
    W I L L L A U N C H A N U P D A T E D
    M I N D M A P O N D I F F E R E N T
    T E C H N I Q U E S F O R A C C O U N T
    T A K E O V E R
    

    View Slide

17. S U M M A RY
    

    View Slide

18. T H A N K YO U
    F O L K S !
    

    View Slide