Applications still utilize weak cryptography generation methodologies which may lead to severe risk. In the world of Application Security, looking for all possible points to enumerate and find out how secrets, token and encryption is happening always gives an edge. Broken & Weak Cryptography can lead severe impact and account takeover is one of them. Account takeovers involve gaining persistence access to the victim account impacting CIA completely. However, Both Broken Cryptography and Account Takeover are not just limited to a few attack vectors. In this talk, I will discuss:
1. Broken Cryptography 101
2. Endpoints to Test for Broken Cryptography
3. Quick Overview of How to test each Endpoint
4. Account Takeovers 101
5. Various Methods of Performing Account Takeovers
6. Case Studies of Real-Life Findings:
a. Broken Cryptography to Account Takeover
b. CSRF to Account Takeover
c. XSS to Account Takeover & Privilege Escalation
d. IDOR to Account Takeover
e. Account Takeovers in Password Reset Links