Account Takeover
Summary
Password Reset Feature
Password Reset Token Leak Via Referrer
Account Takeover Through Password Reset Poisoning
Password Reset Via Email Parameter
IDOR on API Parameters
Weak Password Reset Token
Leaking Password Reset Token
Password Reset Via Username Collision
Account takeover due to unicode normalization issue
Account Takeover Via Cross Site Scripting
Account Takeover Via HTTP Request Smuggling
Account Takeover via CSRF
2FA Bypasses
Response Manipulation
Status Code Manipulation
2FA Code Leakage in Response
JS File Analysis
2FA Code Reusability
Lack of Brute-Force Protection
Missing 2FA Code Integrity Validation
CSRF on 2FA Disabling
Password Reset Disable 2FA
Backup Code Abuse
Clickjacking on 2FA Disabling Page
Enabling 2FA doesn't expire Previously active Sessions
Bypass 2FA by Force Browsing
Bypass 2FA with null or 000000
Bypass 2FA with array
References
Password Reset Feature
Password Reset Token Leak Via Referrer
Request password reset to your email address
Click on the password reset link
Don't change password
Click any 3rd party websites(eg: Facebook, twitter)
Intercept the request in Burp Suite proxy
Check if the referer header is leaking password reset token.
Account Takeover Through Password Reset Poisoning
Intercept the password reset request in Burp Suite
Add or edit the following headers in Burp Suite :
Host: attacker.com
,X-Forwarded-Host: attacker.com
Forward the request with the modified header
Look for a password reset URL based on the host header like :
https://attacker.com/reset-password.php?token=TOKEN
Password Reset Via Email Parameter
IDOR on API Parameters
Attacker have to login with their account and go to the Change password feature.
Start the Burp Suite and Intercept the request
Send it to the repeater tab and edit the parameters : User ID/email
Weak Password Reset Token
The password reset token should be randomly generated and unique every time. Try to determine if the token expire or if it's always the same, in some cases the generation algorithm is weak and can be guessed. The following variables might be used by the algorithm.
Timestamp
UserID
Email of User
Firstname and Lastname
Date of Birth
Cryptography
Number only
Small token sequence (<6 characters between [A-Z,a-z,0-9])
Token reuse
Token expiration date
Leaking Password Reset Token
Trigger a password reset request using the API/UI for a specific email e.g: test@mail.com
Inspect the server response and check for
resetToken
Then use the token in an URL like
https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]
Password Reset Via Username Collision
Register on the system with a username identical to the victim's username, but with white spaces inserted before and/or after the username. e.g:
"admin "
Request a password reset with your malicious username.
Use the token sent to your email and reset the victim password.
Connect to the victim account with the new password.
The platform CTFd was vulnerable to this attack. See: CVE-2020-7245
Account takeover due to unicode normalization issue
When processing user input involving unicode for case mapping or normalisation, unexcepted behavior can occur.
Victim account:
demo@gmail.com
Attacker account:
demⓞ@gmail.com
Unicode pentester cheatsheet can be used to find list of suitable unicode characters based on platform.
Account Takeover Via Cross Site Scripting
Find an XSS inside the application or a subdomain if the cookies are scoped to the parent domain :
*.domain.com
Leak the current sessions cookie
Authenticate as the user using the cookie
Account Takeover Via HTTP Request Smuggling
Refer to HTTP Request Smuggling vulnerability page.
Use smuggler to detect the type of HTTP Request Smuggling (CL, TE, CL.TE)
Craft a request which will overwrite the
POST / HTTP/1.1
with the following data:Final request could look like the following
Hackerone reports exploiting this bug
https://hackerone.com/reports/737140
https://hackerone.com/reports/771666
Account Takeover via CSRF
Create a payload for the CSRF, e.g: "HTML form with auto submit for a password change"
Send the payload
Account Takeover via JWT
JSON Web Token might be used to authenticate an user.
Edit the JWT with another User ID / Email
Check for weak JWT signature
2FA Bypasses
Response Manipulation
In response if "success":false
Change it to "success":true
Status Code Manipulation
If Status Code is 4xx Try to change it to 200 OK and see if it bypass restrictions
2FA Code Leakage in Response
Check the response of the 2FA Code Triggering Request to see if the code is leaked.
JS File Analysis
Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
2FA Code Reusability
Same code can be reused
Lack of Brute-Force Protection
Possible to brute-force any length 2FA Code
Missing 2FA Code Integrity Validation
Code for any user acc can be used to bypass the 2FA
CSRF on 2FA Disabling
No CSRF Protection on disabling 2FA, also there is no auth confirmation
Password Reset Disable 2FA
2FA gets disabled on password change/email change
Backup Code Abuse
Bypassing 2FA by abusing the Backup code feature Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions
Clickjacking on 2FA Disabling Page
Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
Enabling 2FA doesn't expire Previously active Sessions
If the session is already hijacked and there is a session timeout vuln
Bypass 2FA by Force Browsing
If the application redirects to /my-account
url upon login while 2Fa is disabled, try replacing /2fa/verify
with /my-account
while 2FA is enabled to bypass verification.
Bypass 2FA with null or 000000
Enter the code 000000 or null to bypass 2FA protection.
Bypass 2FA with array
TODO
Broken cryptography
Session hijacking
OAuth misconfiguration
References
Last updated