Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Account Takeovers Webinar

Ninad Mathpati
December 19, 2020

Account Takeovers Webinar

These slides are from the live webinar organised by ResetHacker community, here I have discussed the ways to find account takeover vulnerabilities.

Ninad Mathpati

December 19, 2020
Tweet

More Decks by Ninad Mathpati

Other Decks in Technology

Transcript

  1. Account Takeovers By – Ninad Mathpati RESETHACKER community is India's

    crowdsourcing community of action for professionals, researchers, ethical hackers, developers, students and hobbyists interested in learning, sharing & collaborating. www.resethacker.com
  2. Whoami? 2 www.resethacker.com ⬡ Application security engineer @ArisGlobal. ⬡ Security

    Researcher @Synack, @Bugcrowd. ⬡ Featured by Bugcrowd in their Researcher Spotlight. ⬡ Hacker with an ethical bent of mind. ⬡ Developer with skills. ⬡ Known as Hacker2202. ⬡ Find more details about me & my work @ ninadmathpati.com
  3. Disclaimer ⬡ Nothing presented here in todays session gives you

    permission to hack. ⬡ Always hack with proper approvals. ⬡ Use this knowledge for educational purpose only. 3
  4. “Create your own path and live it. By – Ninad

    Mathpati 4 www.resethacker.com
  5. 5 ⬡ Here we would be discussing about the Account

    takeover vulnerabilities. ⬡ Ways to achieve that. ⬡ Report Writing. ⬡ Q&A
  6. What is Account Takeover? ⬡ Also know as ATO. ⬡

    It’s a vulnerability where attacker tries to gain unauthorized access to the victims account. ⬡ Many ways to achieve that, mostly using chaining of bugs. www.resethacker.com
  7. Methods? ATO’s can be achieved ⬡ CSRF ⬡ Cryptographical errors

    ⬡ XSS ⬡ IDOR ⬡ OAuth Misconfiguration ⬡ Hard coded info (GitHub, JS files, comments) ⬡ Business logic errors. 7 www.resethacker.com ⬡ Request smuggling ⬡ Host Header Injections ⬡ Parameter Pollution. ⬡ CRLF injections
  8. What is CSRF Attack? ⬡ Here in this vulnerability attacker

    is able to trick the victim into making a request that the victim does not intend to make. ⬡ This vulnerability refers to an attack against authenticated web applications using cookies. ⬡ The level of the attack is based upon the level of privileges that the victim possessed. 9
  9. Scenario ⬡ There was a scenario, where password reset of

    account was possible using two ways ∙ Requesting a password reset link to the registered email. ∙ Resetting the password by answering the security questions of the user. ⬡ Security measures such as CSRF token, requesting to confirm old password before making changes were in place. ⬡ Still account takeover was possible here. 10
  10. How it was possible? ⬡ Since CSRF Protection was every

    where and over to that the application was confirming the changes using current password. 12
  11. ⬡ After trying every bypassing techniques to bypass the confirm

    password, I thought to recheck the registration workflow. ⬡ There after logging in with new account, the application was asking to set security Q&A. ⬡ Just gave some random answers to random questions and captured the request in Burpsuite. ⬡ Now to bypass the confirm current password, I used some parameters from that request. ⬡ I altered the myprofile page CSRF POC by replacing some parameters, with the above request which I got while setting up the new security Q&A. 13
  12. ⬡ The new POC which was created something like below

    shown, ⬡ The altered POC worked & helped in changing the email and security Q & A. ⬡ Using the changed the Security Q&A, I was able to change the password of any account. 14
  13. Other ways to bypass CSRF and achieve ATO 15 ⬡

    There are many other ways to bypass CSRF, you can refer to my security workbook @ info.ninadmathpati.com
  14. What are Business Logic Vulnerabilities? ⬡ These flaws are in

    the design and implementation of an application that allow an attacker to elicit unintended behavior. ⬡ It is a functionality that is part of a legitimate workflow, but it can be used for malicious intent. 17
  15. Scenario ⬡ There was a scenario, where password reset of

    account was possible via requesting a password reset link to the registered email. ⬡ There was an application say xyz, I created my account on the application. ⬡ I tried to reset my account password using forgot password functionality. ⬡ The application was using token implementation while resetting the passwords. ⬡ I tried to get a password reset link for my account, the link was such as 18
  16. ⬡ Now once the URL is loaded in the browser,

    it was working in the meant way. I was able to reset my password. ⬡ Here in the given link, there was an email parameter, I tried changing it with the victim's email. ⬡ After the change, once the URL is loaded in the browser, the application was asking for 2fa code associated with the victim's account. ⬡ And parallelly it was sending a new password reset link to the both the mails (Victims mail id and attackers mail id) ⬡ That password reset link was of victim’s account. ⬡ As I had the new reset link, I was able reset password of any account on the application 19
  17. What is Oauth? ⬡ While browsing the web, you've almost

    certainly come across sites that let you log in using your social media account. ⬡ OAuth is an Authorization framework. ⬡ It’s framework that enables websites and web applications to request limited access to a user's account on another application. ⬡ It allows the user to grant the access to his details without exposing their login credentials to the requesting application. 22
  18. 23 Authorization Server Client (XYZ) User Please provide me the

    access token Access token Provided 1 2 3 4 Auth server generates the access token Resource Server 5 6 Resource server verifies the access token and provides data Oauth Workflow Client Application Resource Owner Oauth Service Provider
  19. 24 www.resethacker.com ATO’S using OAuth ⬡ There are many misconfiguration

    in Oauth, we would be looking for redirect_uri misconfiguration and exploiting state parameter which could lead to ATO’s. ∙ Weak redirect_uri misconfiguration :- Here the redirect_uri is vulnerable to open redirect vulnerability, this vulnerability leads the attacker stealing the victims access token to the website. ∙ Improper handling of state parameter : - Here the State parameter in implemented to protect from CSRF attacks, if that state parameter is not implemented, attacker could try to escalate the issues by taking over the victims account.
  20. 25 www.resethacker.com Oauth URL redirect Misconfiguration ⬡ Here if we

    changed the “redirect_uri” value to attacker-controlled server. ⬡ The result of this request would be the access token when generated it would be passed to the attacker-controlled server. ⬡ The access token would be passed in the Referer header, as it contains the address of the previous web page. Vulnerable redirect_uri parameter
  21. 26 www.resethacker.com Oauth state parameter Misconfiguration leading to CSRF attack

    ⬡ In Oauth configuration, there’s a state parameter which protects requests form CSRF attacks. ⬡ In this vulnerability attacker get a site where Oauth functionality is implemented and tries to login to his Facebook account. ⬡ After his approval to approve the access to his account, he can intercept the next request containing the Auth code and check if state parameter is missing. ⬡ If it is missing the attacker can generate a CSRF POC for that request and forward it to the victims. ⬡ As the victims clicks on the links, the attackers account gets his fb account linked to the victims account.
  22. 27 www.resethacker.com State parameter not available If the user approves

    the request from fb to allow the client to access the user's personal information Attacker can generate CSRF POC for this request and pass it to the victim. Once the victim click on the malicious link sent by the attacker, the attackers FB account will be added to the victim's account Attacker Clicks here
  23. What are IDOR Vulnerabilities? ⬡ It is a type of

    access control vulnerability. ⬡ This kind of vulnerability arises when a user-supplied input is used to access data directly. ⬡ Here in the above case if the value “1234” is changed to something else, there’s a possibility to get the data of that user. 29
  24. Scenario ⬡ I was working on android application, while looking

    for vulnerabilities using Burpsuite, got to know I needed to bypass the SSL pinning implemented. ⬡ Using Frida, the SSL pinning was bypassed. ⬡ In myprofile page, there was a request such as, ⬡ Anyone can clearly say that there might be IDOR at the highlighted end-point. ⬡ The application was vulnerable to IDOR, I was able to get access to the data of any user just by changing the numeric value. 30
  25. How ATO can be achieved in this scenario? ⬡ If

    you give a closure look, you might see that request is sent over GET method. ⬡ If we change that to OPTIONS method, we will know what methods application is supporting in this request. ⬡ To my surprise I got to know PUT and DELETE methods were allowed. 31 Request Response
  26. ⬡ To do a full ATO, I can use the

    PUT method to add the content. ⬡ Content can be anything such as I can alter the email id or even better, I can simply change the account password only. ⬡ This was a full account ATO of one user. 32
  27. Can we escalate it further? Can we takeover 100 accounts

    at a time 33 ⬡ Yes, we can escalate it further, what if we brute force the ID parameter. ⬡ Here Instead of email change I can directly change the password of all the accounts. ⬡ That’s what I did and within 10 mins I was able takeover near to 100 accounts. ⬡ If needed I would have taken over all the users in the application in few hours.
  28. 34

  29. How can one write a better report? ⬡ I believe

    report writing is important as finding bugs in the application. ⬡ If we can’t explain the issues in the proper way there is no use in finding that bug. ⬡ As for me all these fields should be there while drafting a report ∙ Vulnerability Name ∙ Vulnerability Description ∙ Vulnerable URL/Endpoint ∙ Severity ∙ Payload ∙ Steps to Reproduce ∙ Impact ∙ Remediation ∙ References 36
  30. 40

  31. 41 ⬡ Twitter : @ninad_mathpati ⬡ Website : Ninadmathpati.com ⬡

    Blog : Ninadmathpati.com/blog ⬡ LinkedIn : @ninad-mathpati
  32. Credits Special thanks to RESETHACKER for giving the opportunity to

    conduct this webinar. 42 www.resethacker.com
  33. 43