Account Takeover (Insecure Design+ Response manipulation)
Hey Everyone! Let’s learn something new as it is going to be fun learning today.
Lets assume that the testing domain is “www.example.com” and it has the functionality to Sign-In/Register accounts.
Step 1: Register two accounts (Attacker: vamp9006 Victim: vamp8896) on the application using the register functionality.
Step 2: Click on Forgot Password, enter the user id of the attacker and click on “Generate OTP”.
Step 3: Enter the correct OTP and submit the request.
Step 4: Enter the new password and intercept the request in Burp Suite.
Step 5: It has been observed that the new password is intercepted along with the UserId parameter. Forward the request to repeater.
Step 6: Change the UserId from Attacker's userId to Victim’s userId and forward the request in repeater. It has been observed that the Attacker can change the password of Victim only with the UserId parameter. This implies that the attacker can update the password of any user only with the UserId parameter.
Step 7: We have confirmed until now that the attacker can change the password of any user. Let’s try to login with victim’s id and new password to confirm the account takeover.
It has been observed that the application is sending the OTP on the registered email address. We cannot proceed further as we don’t have access to Victim’s email id.
Step 8: Let’s try if we are able to bypass this OTP restriction. Again enter the details and intercept the response for the Login request in Burp suite proxy tool.
Step 9: Change the response from “OTP Required” to “valid”.
Step 10: It has been observed that the OTP restriction is bypassed via response manipulation and we have successfully logged-in using victim’s updated credentials.
Learning:
1- Always try to intercept the request in proxy tool to look for any parameter which can affect in mass (example : UserId).
2- Always try to chain the multiple vulnerabilities to increase the impact as we did (Response manipulation to bypass OTP restriction).
3-Always try to perform the response manipulation by carefully monitoring the response of the request on the endpoints like (OTP verification, password change, Login etc.)
