crowdsourcing community of action for professionals, researchers, ethical hackers, developers, students and hobbyists interested in learning, sharing & collaborating. www.resethacker.com
Researcher @Synack, @Bugcrowd. ⬡ Featured by Bugcrowd in their Researcher Spotlight. ⬡ Hacker with an ethical bent of mind. ⬡ Developer with skills. ⬡ Known as Hacker2202. ⬡ Find more details about me & my work @ ninadmathpati.com
It’s a vulnerability where attacker tries to gain unauthorized access to the victims account. ⬡ Many ways to achieve that, mostly using chaining of bugs. www.resethacker.com
is able to trick the victim into making a request that the victim does not intend to make. ⬡ This vulnerability refers to an attack against authenticated web applications using cookies. ⬡ The level of the attack is based upon the level of privileges that the victim possessed. 9
account was possible using two ways ∙ Requesting a password reset link to the registered email. ∙ Resetting the password by answering the security questions of the user. ⬡ Security measures such as CSRF token, requesting to confirm old password before making changes were in place. ⬡ Still account takeover was possible here. 10
password, I thought to recheck the registration workflow. ⬡ There after logging in with new account, the application was asking to set security Q&A. ⬡ Just gave some random answers to random questions and captured the request in Burpsuite. ⬡ Now to bypass the confirm current password, I used some parameters from that request. ⬡ I altered the myprofile page CSRF POC by replacing some parameters, with the above request which I got while setting up the new security Q&A. 13
shown, ⬡ The altered POC worked & helped in changing the email and security Q & A. ⬡ Using the changed the Security Q&A, I was able to change the password of any account. 14
the design and implementation of an application that allow an attacker to elicit unintended behavior. ⬡ It is a functionality that is part of a legitimate workflow, but it can be used for malicious intent. 17
account was possible via requesting a password reset link to the registered email. ⬡ There was an application say xyz, I created my account on the application. ⬡ I tried to reset my account password using forgot password functionality. ⬡ The application was using token implementation while resetting the passwords. ⬡ I tried to get a password reset link for my account, the link was such as 18
it was working in the meant way. I was able to reset my password. ⬡ Here in the given link, there was an email parameter, I tried changing it with the victim's email. ⬡ After the change, once the URL is loaded in the browser, the application was asking for 2fa code associated with the victim's account. ⬡ And parallelly it was sending a new password reset link to the both the mails (Victims mail id and attackers mail id) ⬡ That password reset link was of victim’s account. ⬡ As I had the new reset link, I was able reset password of any account on the application 19
certainly come across sites that let you log in using your social media account. ⬡ OAuth is an Authorization framework. ⬡ It’s framework that enables websites and web applications to request limited access to a user's account on another application. ⬡ It allows the user to grant the access to his details without exposing their login credentials to the requesting application. 22
access token Access token Provided 1 2 3 4 Auth server generates the access token Resource Server 5 6 Resource server verifies the access token and provides data Oauth Workflow Client Application Resource Owner Oauth Service Provider
in Oauth, we would be looking for redirect_uri misconfiguration and exploiting state parameter which could lead to ATO’s. ∙ Weak redirect_uri misconfiguration :- Here the redirect_uri is vulnerable to open redirect vulnerability, this vulnerability leads the attacker stealing the victims access token to the website. ∙ Improper handling of state parameter : - Here the State parameter in implemented to protect from CSRF attacks, if that state parameter is not implemented, attacker could try to escalate the issues by taking over the victims account.
changed the “redirect_uri” value to attacker-controlled server. ⬡ The result of this request would be the access token when generated it would be passed to the attacker-controlled server. ⬡ The access token would be passed in the Referer header, as it contains the address of the previous web page. Vulnerable redirect_uri parameter
⬡ In Oauth configuration, there’s a state parameter which protects requests form CSRF attacks. ⬡ In this vulnerability attacker get a site where Oauth functionality is implemented and tries to login to his Facebook account. ⬡ After his approval to approve the access to his account, he can intercept the next request containing the Auth code and check if state parameter is missing. ⬡ If it is missing the attacker can generate a CSRF POC for that request and forward it to the victims. ⬡ As the victims clicks on the links, the attackers account gets his fb account linked to the victims account.
the request from fb to allow the client to access the user's personal information Attacker can generate CSRF POC for this request and pass it to the victim. Once the victim click on the malicious link sent by the attacker, the attackers FB account will be added to the victim's account Attacker Clicks here
access control vulnerability. ⬡ This kind of vulnerability arises when a user-supplied input is used to access data directly. ⬡ Here in the above case if the value “1234” is changed to something else, there’s a possibility to get the data of that user. 29
for vulnerabilities using Burpsuite, got to know I needed to bypass the SSL pinning implemented. ⬡ Using Frida, the SSL pinning was bypassed. ⬡ In myprofile page, there was a request such as, ⬡ Anyone can clearly say that there might be IDOR at the highlighted end-point. ⬡ The application was vulnerable to IDOR, I was able to get access to the data of any user just by changing the numeric value. 30
you give a closure look, you might see that request is sent over GET method. ⬡ If we change that to OPTIONS method, we will know what methods application is supporting in this request. ⬡ To my surprise I got to know PUT and DELETE methods were allowed. 31 Request Response
PUT method to add the content. ⬡ Content can be anything such as I can alter the email id or even better, I can simply change the account password only. ⬡ This was a full account ATO of one user. 32
at a time 33 ⬡ Yes, we can escalate it further, what if we brute force the ID parameter. ⬡ Here Instead of email change I can directly change the password of all the accounts. ⬡ That’s what I did and within 10 mins I was able takeover near to 100 accounts. ⬡ If needed I would have taken over all the users in the application in few hours.
report writing is important as finding bugs in the application. ⬡ If we can’t explain the issues in the proper way there is no use in finding that bug. ⬡ As for me all these fields should be there while drafting a report ∙ Vulnerability Name ∙ Vulnerability Description ∙ Vulnerable URL/Endpoint ∙ Severity ∙ Payload ∙ Steps to Reproduce ∙ Impact ∙ Remediation ∙ References 36