Slide 1

Slide 1 text

Account Takeovers By – Ninad Mathpati RESETHACKER community is India's crowdsourcing community of action for professionals, researchers, ethical hackers, developers, students and hobbyists interested in learning, sharing & collaborating.

Slide 2

Slide 2 text

Whoami? 2 ⬡ Application security engineer @ArisGlobal. ⬡ Security Researcher @Synack, @Bugcrowd. ⬡ Featured by Bugcrowd in their Researcher Spotlight. ⬡ Hacker with an ethical bent of mind. ⬡ Developer with skills. ⬡ Known as Hacker2202. ⬡ Find more details about me & my work @

Slide 3

Slide 3 text

Disclaimer ⬡ Nothing presented here in todays session gives you permission to hack. ⬡ Always hack with proper approvals. ⬡ Use this knowledge for educational purpose only. 3

Slide 4

Slide 4 text

“Create your own path and live it. By – Ninad Mathpati 4

Slide 5

Slide 5 text

5 ⬡ Here we would be discussing about the Account takeover vulnerabilities. ⬡ Ways to achieve that. ⬡ Report Writing. ⬡ Q&A

Slide 6

Slide 6 text

What is Account Takeover? ⬡ Also know as ATO. ⬡ It’s a vulnerability where attacker tries to gain unauthorized access to the victims account. ⬡ Many ways to achieve that, mostly using chaining of bugs.

Slide 7

Slide 7 text

Methods? ATO’s can be achieved ⬡ CSRF ⬡ Cryptographical errors ⬡ XSS ⬡ IDOR ⬡ OAuth Misconfiguration ⬡ Hard coded info (GitHub, JS files, comments) ⬡ Business logic errors. 7 ⬡ Request smuggling ⬡ Host Header Injections ⬡ Parameter Pollution. ⬡ CRLF injections

Slide 8

Slide 8 text

Account takeover via CSRF Attacks 8

Slide 9

Slide 9 text

What is CSRF Attack? ⬡ Here in this vulnerability attacker is able to trick the victim into making a request that the victim does not intend to make. ⬡ This vulnerability refers to an attack against authenticated web applications using cookies. ⬡ The level of the attack is based upon the level of privileges that the victim possessed. 9

Slide 10

Slide 10 text

Scenario ⬡ There was a scenario, where password reset of account was possible using two ways ∙ Requesting a password reset link to the registered email. ∙ Resetting the password by answering the security questions of the user. ⬡ Security measures such as CSRF token, requesting to confirm old password before making changes were in place. ⬡ Still account takeover was possible here. 10

Slide 11

Slide 11 text

Additional to CSRF the application was confirming current password before making any change

Slide 12

Slide 12 text

How it was possible? ⬡ Since CSRF Protection was every where and over to that the application was confirming the changes using current password. 12

Slide 13

Slide 13 text

⬡ After trying every bypassing techniques to bypass the confirm password, I thought to recheck the registration workflow. ⬡ There after logging in with new account, the application was asking to set security Q&A. ⬡ Just gave some random answers to random questions and captured the request in Burpsuite. ⬡ Now to bypass the confirm current password, I used some parameters from that request. ⬡ I altered the myprofile page CSRF POC by replacing some parameters, with the above request which I got while setting up the new security Q&A. 13

Slide 14

Slide 14 text

⬡ The new POC which was created something like below shown, ⬡ The altered POC worked & helped in changing the email and security Q & A. ⬡ Using the changed the Security Q&A, I was able to change the password of any account. 14

Slide 15

Slide 15 text

Other ways to bypass CSRF and achieve ATO 15 ⬡ There are many other ways to bypass CSRF, you can refer to my security workbook @

Slide 16

Slide 16 text

Account takeover via Business Logic Vulnerability 16

Slide 17

Slide 17 text

What are Business Logic Vulnerabilities? ⬡ These flaws are in the design and implementation of an application that allow an attacker to elicit unintended behavior. ⬡ It is a functionality that is part of a legitimate workflow, but it can be used for malicious intent. 17

Slide 18

Slide 18 text

Scenario ⬡ There was a scenario, where password reset of account was possible via requesting a password reset link to the registered email. ⬡ There was an application say xyz, I created my account on the application. ⬡ I tried to reset my account password using forgot password functionality. ⬡ The application was using token implementation while resetting the passwords. ⬡ I tried to get a password reset link for my account, the link was such as 18

Slide 19

Slide 19 text

⬡ Now once the URL is loaded in the browser, it was working in the meant way. I was able to reset my password. ⬡ Here in the given link, there was an email parameter, I tried changing it with the victim's email. ⬡ After the change, once the URL is loaded in the browser, the application was asking for 2fa code associated with the victim's account. ⬡ And parallelly it was sending a new password reset link to the both the mails (Victims mail id and attackers mail id) ⬡ That password reset link was of victim’s account. ⬡ As I had the new reset link, I was able reset password of any account on the application 19

Slide 20

Slide 20 text

Default Link Altered Link

Slide 21

Slide 21 text

Account takeover via OAuth Vulnerabilities 21

Slide 22

Slide 22 text

What is Oauth? ⬡ While browsing the web, you've almost certainly come across sites that let you log in using your social media account. ⬡ OAuth is an Authorization framework. ⬡ It’s framework that enables websites and web applications to request limited access to a user's account on another application. ⬡ It allows the user to grant the access to his details without exposing their login credentials to the requesting application. 22

Slide 23

Slide 23 text

23 Authorization Server Client (XYZ) User Please provide me the access token Access token Provided 1 2 3 4 Auth server generates the access token Resource Server 5 6 Resource server verifies the access token and provides data Oauth Workflow Client Application Resource Owner Oauth Service Provider

Slide 24

Slide 24 text

24 ATO’S using OAuth ⬡ There are many misconfiguration in Oauth, we would be looking for redirect_uri misconfiguration and exploiting state parameter which could lead to ATO’s. ∙ Weak redirect_uri misconfiguration :- Here the redirect_uri is vulnerable to open redirect vulnerability, this vulnerability leads the attacker stealing the victims access token to the website. ∙ Improper handling of state parameter : - Here the State parameter in implemented to protect from CSRF attacks, if that state parameter is not implemented, attacker could try to escalate the issues by taking over the victims account.

Slide 25

Slide 25 text

25 Oauth URL redirect Misconfiguration ⬡ Here if we changed the “redirect_uri” value to attacker-controlled server. ⬡ The result of this request would be the access token when generated it would be passed to the attacker-controlled server. ⬡ The access token would be passed in the Referer header, as it contains the address of the previous web page. Vulnerable redirect_uri parameter

Slide 26

Slide 26 text

26 Oauth state parameter Misconfiguration leading to CSRF attack ⬡ In Oauth configuration, there’s a state parameter which protects requests form CSRF attacks. ⬡ In this vulnerability attacker get a site where Oauth functionality is implemented and tries to login to his Facebook account. ⬡ After his approval to approve the access to his account, he can intercept the next request containing the Auth code and check if state parameter is missing. ⬡ If it is missing the attacker can generate a CSRF POC for that request and forward it to the victims. ⬡ As the victims clicks on the links, the attackers account gets his fb account linked to the victims account.

Slide 27

Slide 27 text

27 State parameter not available If the user approves the request from fb to allow the client to access the user's personal information Attacker can generate CSRF POC for this request and pass it to the victim. Once the victim click on the malicious link sent by the attacker, the attackers FB account will be added to the victim's account Attacker Clicks here

Slide 28

Slide 28 text

Account takeover via IDOR 28

Slide 29

Slide 29 text

What are IDOR Vulnerabilities? ⬡ It is a type of access control vulnerability. ⬡ This kind of vulnerability arises when a user-supplied input is used to access data directly. ⬡ Here in the above case if the value “1234” is changed to something else, there’s a possibility to get the data of that user. 29

Slide 30

Slide 30 text

Scenario ⬡ I was working on android application, while looking for vulnerabilities using Burpsuite, got to know I needed to bypass the SSL pinning implemented. ⬡ Using Frida, the SSL pinning was bypassed. ⬡ In myprofile page, there was a request such as, ⬡ Anyone can clearly say that there might be IDOR at the highlighted end-point. ⬡ The application was vulnerable to IDOR, I was able to get access to the data of any user just by changing the numeric value. 30

Slide 31

Slide 31 text

How ATO can be achieved in this scenario? ⬡ If you give a closure look, you might see that request is sent over GET method. ⬡ If we change that to OPTIONS method, we will know what methods application is supporting in this request. ⬡ To my surprise I got to know PUT and DELETE methods were allowed. 31 Request Response

Slide 32

Slide 32 text

⬡ To do a full ATO, I can use the PUT method to add the content. ⬡ Content can be anything such as I can alter the email id or even better, I can simply change the account password only. ⬡ This was a full account ATO of one user. 32

Slide 33

Slide 33 text

Can we escalate it further? Can we takeover 100 accounts at a time 33 ⬡ Yes, we can escalate it further, what if we brute force the ID parameter. ⬡ Here Instead of email change I can directly change the password of all the accounts. ⬡ That’s what I did and within 10 mins I was able takeover near to 100 accounts. ⬡ If needed I would have taken over all the users in the application in few hours.

Slide 34

Slide 34 text


Slide 35

Slide 35 text

35 Quick Discussion on report writing

Slide 36

Slide 36 text

How can one write a better report? ⬡ I believe report writing is important as finding bugs in the application. ⬡ If we can’t explain the issues in the proper way there is no use in finding that bug. ⬡ As for me all these fields should be there while drafting a report ∙ Vulnerability Name ∙ Vulnerability Description ∙ Vulnerable URL/Endpoint ∙ Severity ∙ Payload ∙ Steps to Reproduce ∙ Impact ∙ Remediation ∙ References 36

Slide 37

Slide 37 text

Report Templates 37

Slide 38

Slide 38 text

38 References

Slide 39

Slide 39 text

39 References

Slide 40

Slide 40 text


Slide 41

Slide 41 text

41 ⬡ Twitter : @ninad_mathpati ⬡ Website : ⬡ Blog : ⬡ LinkedIn : @ninad-mathpati

Slide 42

Slide 42 text

Credits Special thanks to RESETHACKER for giving the opportunity to conduct this webinar. 42

Slide 43

Slide 43 text