Account Takeovers By – Ninad Mathpati RESETHACKER community is India's crowdsourcing community of action for professionals, researchers, ethical hackers, developers, students and hobbyists interested in learning, sharing & collaborating. www.resethacker.com

Whoami? 2 www.resethacker.com ⬡ Application security engineer @ArisGlobal. ⬡ Security Researcher @Synack, @Bugcrowd. ⬡ Featured by Bugcrowd in their Researcher Spotlight. ⬡ Hacker with an ethical bent of mind. ⬡ Developer with skills. ⬡ Known as Hacker2202. ⬡ Find more details about me & my work @ ninadmathpati.com

Disclaimer ⬡ Nothing presented here in todays session gives you permission to hack. ⬡ Always hack with proper approvals. ⬡ Use this knowledge for educational purpose only. 3

“Create your own path and live it. By – Ninad Mathpati 4 www.resethacker.com

5 ⬡ Here we would be discussing about the Account takeover vulnerabilities. ⬡ Ways to achieve that. ⬡ Report Writing. ⬡ Q&A

What is Account Takeover? ⬡ Also know as ATO. ⬡ It’s a vulnerability where attacker tries to gain unauthorized access to the victims account. ⬡ Many ways to achieve that, mostly using chaining of bugs. www.resethacker.com

Methods? ATO’s can be achieved ⬡ CSRF ⬡ Cryptographical errors ⬡ XSS ⬡ IDOR ⬡ OAuth Misconfiguration ⬡ Hard coded info (GitHub, JS files, comments) ⬡ Business logic errors. 7 www.resethacker.com ⬡ Request smuggling ⬡ Host Header Injections ⬡ Parameter Pollution. ⬡ CRLF injections

Account takeover via CSRF Attacks 8 www.resethacker.com

What is CSRF Attack? ⬡ Here in this vulnerability attacker is able to trick the victim into making a request that the victim does not intend to make. ⬡ This vulnerability refers to an attack against authenticated web applications using cookies. ⬡ The level of the attack is based upon the level of privileges that the victim possessed. 9

Scenario ⬡ There was a scenario, where password reset of account was possible using two ways ∙ Requesting a password reset link to the registered email. ∙ Resetting the password by answering the security questions of the user. ⬡ Security measures such as CSRF token, requesting to confirm old password before making changes were in place. ⬡ Still account takeover was possible here. 10

Additional to CSRF the application was confirming current password before making any change

How it was possible? ⬡ Since CSRF Protection was every where and over to that the application was confirming the changes using current password. 12

⬡ After trying every bypassing techniques to bypass the confirm password, I thought to recheck the registration workflow. ⬡ There after logging in with new account, the application was asking to set security Q&A. ⬡ Just gave some random answers to random questions and captured the request in Burpsuite. ⬡ Now to bypass the confirm current password, I used some parameters from that request. ⬡ I altered the myprofile page CSRF POC by replacing some parameters, with the above request which I got while setting up the new security Q&A. 13

⬡ The new POC which was created something like below shown, ⬡ The altered POC worked & helped in changing the email and security Q & A. ⬡ Using the changed the Security Q&A, I was able to change the password of any account. 14

Other ways to bypass CSRF and achieve ATO 15 ⬡ There are many other ways to bypass CSRF, you can refer to my security workbook @ info.ninadmathpati.com

Account takeover via Business Logic Vulnerability 16 www.resethacker.com

What are Business Logic Vulnerabilities? ⬡ These flaws are in the design and implementation of an application that allow an attacker to elicit unintended behavior. ⬡ It is a functionality that is part of a legitimate workflow, but it can be used for malicious intent. 17

Scenario ⬡ There was a scenario, where password reset of account was possible via requesting a password reset link to the registered email. ⬡ There was an application say xyz, I created my account on the application. ⬡ I tried to reset my account password using forgot password functionality. ⬡ The application was using token implementation while resetting the passwords. ⬡ I tried to get a password reset link for my account, the link was such as 18

⬡ Now once the URL is loaded in the browser, it was working in the meant way. I was able to reset my password. ⬡ Here in the given link, there was an email parameter, I tried changing it with the victim's email. ⬡ After the change, once the URL is loaded in the browser, the application was asking for 2fa code associated with the victim's account. ⬡ And parallelly it was sending a new password reset link to the both the mails (Victims mail id and attackers mail id) ⬡ That password reset link was of victim’s account. ⬡ As I had the new reset link, I was able reset password of any account on the application 19

Default Link Altered Link

Account takeover via OAuth Vulnerabilities 21 www.resethacker.com

What is Oauth? ⬡ While browsing the web, you've almost certainly come across sites that let you log in using your social media account. ⬡ OAuth is an Authorization framework. ⬡ It’s framework that enables websites and web applications to request limited access to a user's account on another application. ⬡ It allows the user to grant the access to his details without exposing their login credentials to the requesting application. 22

23 Authorization Server Client (XYZ) User Please provide me the access token Access token Provided 1 2 3 4 Auth server generates the access token Resource Server 5 6 Resource server verifies the access token and provides data Oauth Workflow Client Application Resource Owner Oauth Service Provider

24 www.resethacker.com ATO’S using OAuth ⬡ There are many misconfiguration in Oauth, we would be looking for redirect_uri misconfiguration and exploiting state parameter which could lead to ATO’s. ∙ Weak redirect_uri misconfiguration :- Here the redirect_uri is vulnerable to open redirect vulnerability, this vulnerability leads the attacker stealing the victims access token to the website. ∙ Improper handling of state parameter : - Here the State parameter in implemented to protect from CSRF attacks, if that state parameter is not implemented, attacker could try to escalate the issues by taking over the victims account.

25 www.resethacker.com Oauth URL redirect Misconfiguration ⬡ Here if we changed the “redirect_uri” value to attacker-controlled server. ⬡ The result of this request would be the access token when generated it would be passed to the attacker-controlled server. ⬡ The access token would be passed in the Referer header, as it contains the address of the previous web page. Vulnerable redirect_uri parameter

26 www.resethacker.com Oauth state parameter Misconfiguration leading to CSRF attack ⬡ In Oauth configuration, there’s a state parameter which protects requests form CSRF attacks. ⬡ In this vulnerability attacker get a site where Oauth functionality is implemented and tries to login to his Facebook account. ⬡ After his approval to approve the access to his account, he can intercept the next request containing the Auth code and check if state parameter is missing. ⬡ If it is missing the attacker can generate a CSRF POC for that request and forward it to the victims. ⬡ As the victims clicks on the links, the attackers account gets his fb account linked to the victims account.

27 www.resethacker.com State parameter not available If the user approves the request from fb to allow the client to access the user's personal information Attacker can generate CSRF POC for this request and pass it to the victim. Once the victim click on the malicious link sent by the attacker, the attackers FB account will be added to the victim's account Attacker Clicks here

Account takeover via IDOR 28 www.resethacker.com

What are IDOR Vulnerabilities? ⬡ It is a type of access control vulnerability. ⬡ This kind of vulnerability arises when a user-supplied input is used to access data directly. ⬡ Here in the above case if the value “1234” is changed to something else, there’s a possibility to get the data of that user. 29

Scenario ⬡ I was working on android application, while looking for vulnerabilities using Burpsuite, got to know I needed to bypass the SSL pinning implemented. ⬡ Using Frida, the SSL pinning was bypassed. ⬡ In myprofile page, there was a request such as, ⬡ Anyone can clearly say that there might be IDOR at the highlighted end-point. ⬡ The application was vulnerable to IDOR, I was able to get access to the data of any user just by changing the numeric value. 30

How ATO can be achieved in this scenario? ⬡ If you give a closure look, you might see that request is sent over GET method. ⬡ If we change that to OPTIONS method, we will know what methods application is supporting in this request. ⬡ To my surprise I got to know PUT and DELETE methods were allowed. 31 Request Response

⬡ To do a full ATO, I can use the PUT method to add the content. ⬡ Content can be anything such as I can alter the email id or even better, I can simply change the account password only. ⬡ This was a full account ATO of one user. 32

Can we escalate it further? Can we takeover 100 accounts at a time 33 ⬡ Yes, we can escalate it further, what if we brute force the ID parameter. ⬡ Here Instead of email change I can directly change the password of all the accounts. ⬡ That’s what I did and within 10 mins I was able takeover near to 100 accounts. ⬡ If needed I would have taken over all the users in the application in few hours.

34

35 Quick Discussion on report writing

How can one write a better report? ⬡ I believe report writing is important as finding bugs in the application. ⬡ If we can’t explain the issues in the proper way there is no use in finding that bug. ⬡ As for me all these fields should be there while drafting a report ∙ Vulnerability Name ∙ Vulnerability Description ∙ Vulnerable URL/Endpoint ∙ Severity ∙ Payload ∙ Steps to Reproduce ∙ Impact ∙ Remediation ∙ References 36

Report Templates 37

38 References Info.ninadmathpati.com

39 References http://juice-shop.herokuapp.com https://portswigger.net/web-security/all-labs

40

41 ⬡ Twitter : @ninad_mathpati ⬡ Website : Ninadmathpati.com ⬡ Blog : Ninadmathpati.com/blog ⬡ LinkedIn : @ninad-mathpati

Credits Special thanks to RESETHACKER for giving the opportunity to conduct this webinar. 42 www.resethacker.com

43