Tweet
Tweet

Slide 1

Slide 1 text

ACCOUNT HIJACKING METHODOLOGIES ADITYA SHENDE

Slide 2

Slide 2 text

Indian Bounty Hunter: Bugcrowd Biker Agri10x Red Team Ops WHOAMI

Slide 3

Slide 3 text

Account Takeover ? This is a sort of vulnerability that allows an attacker to take full control of a victim's account without requiring any passwords by exploiting an authentication fault in the application.

Slide 4

Slide 4 text

Methods or Test Cases Recent Finding: Host Manipulation Parameter Pollution Password Reset Poisoning IDOR to reset password of any user 1. 2. 3. 4.

Slide 5

Slide 5 text

1G 2G 3G 4G 5G Understand mechanism of reset function Analyse reset link In request try to add hosts with headers Analyse Response Tamper response if needed 1 2 3 4 5 Host Manipulation

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Parameter Pollution HTTP Parameter Pollution, as implied by the name, pollutes the HTTP parameters of a web application in order to perform or achieve a specific malicious task Example: Reset password or Send OTP While sending OTP or reset link there are params like ph_no , email_id ph_no=1234567890&ph_no=0000124563 email_id=victim@gmail.com&email_id=attacker@gmail.com 1. 2. 3.

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

Password Reset Poisoning Application usually generate a secret token by using host header functionality. To create the password reset link they use domains mentioned in the host header and append it with the password reset token.

Slide 11

Slide 11 text

POST /passwords/forgot HTTP/1.1 Host: dashboard.target.com X-Forwarded-Host: burplink.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept:text/html,application/xhtml+xml,application/xml;q=0.9 ,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate C

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Request Reset Link Open Link Capture password change request Tamper it Smart attack = $$$$ IDOR to reset password of any user

Slide 14

Slide 14 text

{“email”:”attacker_account@test.com”,”password”:”new_passwd”,”confirmPassword ”:”new_passwd”} there is a changable parameter which is email, therefore the attacker proceeds to edit the parameters in the following way: {“email”:”victim_account@test.com”,”password”:”new_passwd”,”confirmPassword”: ”new_passwd”} The attacker has changed the parameter email by just changing the attacker’s email by the victim’s email.

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content