#securityexplained S-32: Account Takeover Methodologies
A thread on my Account Takeover Methodologies 🧵
[1/n]
#appsec #infosec #webappsec #bugbountytips #bugbounty #hacking #Coding #security #development #securecoding #learn365 #securityexplained
A thread on my Account Takeover Methodologies 🧵
[1/n]
#appsec #infosec #webappsec #bugbountytips #bugbounty #hacking #Coding #security #development #securecoding #learn365 #securityexplained
[2/n]
An account takeover usually refers to gaining persistent access to the victim user's account and performing all the authentication actions as a victim would be able to do. The severity of account takeover issues is usually considered between High to Critical.
An account takeover usually refers to gaining persistent access to the victim user's account and performing all the authentication actions as a victim would be able to do. The severity of account takeover issues is usually considered between High to Critical.
[3/n]
However, it also depends upon the complexity and likelihood of the attack.
In general, the account takeover is not a "vulnerability class" itself but an impact result of a vulnerability.
However, it also depends upon the complexity and likelihood of the attack.
In general, the account takeover is not a "vulnerability class" itself but an impact result of a vulnerability.
[4/n]
For example, the application was vulnerable to CSRF, and the attacker was able to perform specific actions that led to "Account Takeover".
Below is my methodology for testing different scenarios of Account Takeover:
For example, the application was vulnerable to CSRF, and the attacker was able to perform specific actions that led to "Account Takeover".
Below is my methodology for testing different scenarios of Account Takeover:
[5/n]
1. Account Takeover by CSRF
- If your target application is vulnerable to CSRF on functionalities such as "Email/Phone" Change, you can attempt to perform account takeover using it.
a. Perform CSRF to Update Attacker Email/Phone in Victim Account
1. Account Takeover by CSRF
- If your target application is vulnerable to CSRF on functionalities such as "Email/Phone" Change, you can attempt to perform account takeover using it.
a. Perform CSRF to Update Attacker Email/Phone in Victim Account
[6/n]
b. Perform Password Reset using Attacker Email/Phone set in Victim Account
c. Account Takeover Successful.
b. Perform Password Reset using Attacker Email/Phone set in Victim Account
c. Account Takeover Successful.
[7/n]
2. Account Takeover by IDOR (Post Authentication)
- If your target application is vulnerable to IDOR on functionalities such as "Email/Phone" Change, you can attempt to perform account takeover using it.
a. Perform IDOR to Update Attacker Email/Phone in Victim Account
2. Account Takeover by IDOR (Post Authentication)
- If your target application is vulnerable to IDOR on functionalities such as "Email/Phone" Change, you can attempt to perform account takeover using it.
a. Perform IDOR to Update Attacker Email/Phone in Victim Account
[8/n]
b. Perform Password Reset using Attacker Email/Phone set in Victim Account
c. Account Takeover Successful.
b. Perform Password Reset using Attacker Email/Phone set in Victim Account
c. Account Takeover Successful.
[9/n]
3. Account Takeover by IDOR in Password Reset
- If the application sends `user identifier` in the password reset functionality. Then, one can perform an account takeover. Multiple methods depend upon the functionality. One of the standard methods is:
3. Account Takeover by IDOR in Password Reset
- If the application sends `user identifier` in the password reset functionality. Then, one can perform an account takeover. Multiple methods depend upon the functionality. One of the standard methods is:
[10/n]
a. Trigger Password Reset Request
b. Open the Password Reset Link and Change the `user identifier` to `victim user`.
c. Attempt to perform Password Reset.
d. If the password reset is successful, account takeover is achieved.
a. Trigger Password Reset Request
b. Open the Password Reset Link and Change the `user identifier` to `victim user`.
c. Attempt to perform Password Reset.
d. If the password reset is successful, account takeover is achieved.
[11/n]
4. Takeover by Password Reset Poisoning
- If the app is vulnerable to host header injection, an attacker can attempt to perform a password reset poisoning attack by adding an attacker-controlled host to the password reset link and completing takeover in simple steps:
4. Takeover by Password Reset Poisoning
- If the app is vulnerable to host header injection, an attacker can attempt to perform a password reset poisoning attack by adding an attacker-controlled host to the password reset link and completing takeover in simple steps:
[12/n]
a. Capture the Password Reset Request and Change the Host header value to "attacker-controlled" host.
b. Forward the request and check the email for the password reset link.
a. Capture the Password Reset Request and Change the Host header value to "attacker-controlled" host.
b. Forward the request and check the email for the password reset link.
[13/n]
c. If the password reset link contains the "attacker-controlled" hostname and the victim clicks on the link, it will be logged on the attacker server.
d. Attacker can use the token and perform account takeover by resetting the password.
c. If the password reset link contains the "attacker-controlled" hostname and the victim clicks on the link, it will be logged on the attacker server.
d. Attacker can use the token and perform account takeover by resetting the password.
[14/n]
5. Account Takeover by Broken Cryptography
- If the password reset token/link generated by the application is not cryptographically strong, an attacker may attempt to find a way to forge a valid reset token.
5. Account Takeover by Broken Cryptography
- If the password reset token/link generated by the application is not cryptographically strong, an attacker may attempt to find a way to forge a valid reset token.
[15/n]
There are no specific ways to execute these attacks, but the main goal is to identify how the token is generated.
a. Check for the Randomness
b. Check for standard cryptographic methods in use
c. Try to identify if any known token generation library is used by the app
There are no specific ways to execute these attacks, but the main goal is to identify how the token is generated.
a. Check for the Randomness
b. Check for standard cryptographic methods in use
c. Try to identify if any known token generation library is used by the app
[16/n]
6. Account Takeover by OAuth Misconfiguration
- If the application uses OAuth, there are multiple ways to perform account takeover if the OAuth is misconfigured. Some of the attacks are performing account takeover using CSRF in OAuth, SSO Restriction Bypass, etc.
6. Account Takeover by OAuth Misconfiguration
- If the application uses OAuth, there are multiple ways to perform account takeover if the OAuth is misconfigured. Some of the attacks are performing account takeover using CSRF in OAuth, SSO Restriction Bypass, etc.
[17/n]
Example:
- hackerone.com/reports/314808
- hackerone.com/reports/541701
7. Pre-Authentication Account Takeover
- I have shared an in-depth blog on performing Pre-Authentication Account Takeover that can be found at: hbothra22.medium.com/attacking-soci…
Example:
- hackerone.com/reports/314808
- hackerone.com/reports/541701
7. Pre-Authentication Account Takeover
- I have shared an in-depth blog on performing Pre-Authentication Account Takeover that can be found at: hbothra22.medium.com/attacking-soci…
[18/n]
8. Account Takeover due to Improper Rate-Limitation Checks
- If the application doesn't implement proper rate-limitation, it is possible to bypass the authentication in the application that utilizes Phone/Email OTP based login (Assuming OTP is 4 digit & has a long expiry)
8. Account Takeover due to Improper Rate-Limitation Checks
- If the application doesn't implement proper rate-limitation, it is possible to bypass the authentication in the application that utilizes Phone/Email OTP based login (Assuming OTP is 4 digit & has a long expiry)
[19/n]
a. Initiate a login request and send an OTP.
b. Input Wrong OTP and Fuzz the OTP parameter.
c. Once the valid OTP is received, you will get the proper access token which can be used to login into the user account.
a. Initiate a login request and send an OTP.
b. Input Wrong OTP and Fuzz the OTP parameter.
c. Once the valid OTP is received, you will get the proper access token which can be used to login into the user account.
[20/n]
- This issue is also seen in the application having no password policy where an attacker can brute-force the password field.
- This issue is also seen in the application having no password policy where an attacker can brute-force the password field.
[21/n]
9. Account Takeover due to Weak Security Policies
- Due to the weak security policies, an attacker may find a way to bypass the authentication & authorization and attempt to gain initial non-persistent access to the victim account.
9. Account Takeover due to Weak Security Policies
- Due to the weak security policies, an attacker may find a way to bypass the authentication & authorization and attempt to gain initial non-persistent access to the victim account.
[22/n]
Once you have initial access, you can attempt to get privileged access depending upon the application use-case & offered functionalities.
Once you have initial access, you can attempt to get privileged access depending upon the application use-case & offered functionalities.
[23/n]
10. Account Takeover by Utilizing Sensitive Data Exposure
- Always check for the sensitive data exposure in different components for interesting information such as "Access Tokens", "Session Tokens", and "Credentials".
10. Account Takeover by Utilizing Sensitive Data Exposure
- Always check for the sensitive data exposure in different components for interesting information such as "Access Tokens", "Session Tokens", and "Credentials".
[24/n]
Sometimes, the access tokens are fresh and not expired that can be used to perform session hijacking and gain non-persistent access to the user account.
- Also, search for the endpoints that might reveal sensitive information such as password hashes, session variables, etc
Sometimes, the access tokens are fresh and not expired that can be used to perform session hijacking and gain non-persistent access to the user account.
- Also, search for the endpoints that might reveal sensitive information such as password hashes, session variables, etc
[25/n]
11. Account Takeover by Cross-Site Scripting
- If you have cross-site scripting, there are ways to steal a user's session cookies & gain a non-persistent account takeover. However, in a situation where you can hijack admin sessions and create more admin accounts or ..
11. Account Takeover by Cross-Site Scripting
- If you have cross-site scripting, there are ways to steal a user's session cookies & gain a non-persistent account takeover. However, in a situation where you can hijack admin sessions and create more admin accounts or ..
[26/n]
...reset the password for any users, you can perform a persistent account takeover.
- Even if you cannot hijack a session, if there's a way to create an account using an admin account controlled by JS, you can use XSS to trigger it and create a user account.
...reset the password for any users, you can perform a persistent account takeover.
- Even if you cannot hijack a session, if there's a way to create an account using an admin account controlled by JS, you can use XSS to trigger it and create a user account.
[n/n]
12. Misc. Methods
- Response Manipulation
- Status Code Manipulation
- Parameter Pollution
- Token Forging
#appsec #infosec #bugbountytips #hacking #bugbounty
12. Misc. Methods
- Response Manipulation
- Status Code Manipulation
- Parameter Pollution
- Token Forging
#appsec #infosec #bugbountytips #hacking #bugbounty
• • •
Missing some Tweet in this thread? You can try to
force a refresh
