.png)
6 months ago
41 BOOK THIS SPACE FOR AD
ARTICLE ADHello Fellow Hunters!!!!
This is my first blog, please ignore any mistakes and enjoy the write-up, hope this helps you in learning something new.
This is a story of a complete Account Takeover of a victim user with zero-clicks from victim end.
For the sake of this write-up, let’s call the target application as redacted.com due to NDA.
I was pen-testing on redacted.com in collaboration with shesha sai_c and I came across few end points which allowed me to perform this Account Takeover Attack.
Let’s get into the Vulnerability details :
The application is sending a back-end request such as checkExistUser to perform validation of the user and user existence.
Observe that the POST request is expecting a email id which is used to validate the user
Once the server confirms the user existence it will respond back with the Username hash and value
Tip: There is no limitations to this endpoint we can get hash of any user belongs to the organization
At my first glance i have identified it as a type of user enumeration and I’m positive that this finding will be marked as NA or P4 so I kept digging.
Along with that I also observed, when a password reset is initiated a back-end request for end point setPasswordCognitoAdmin is sent to perform password change.
Observe that the password reset request expecting Username hash and password value to change your password.
Now let’s play with this particular request and change the password of the victim user.
Observe that we have received 200 OK response, let’s confirm this by logging in with the victim user-email with our changed password.
Yes , Hurray !!!!!
We have performed successful Account Takeover with Zero-clicks.
Tl;dr:
Steps to Reproduce :
1. Visit : redacted.com
2. Found a back-end point checkExistUser which is sending user-email to verify existence [User Enumeration Attack].
3. Received Username hash values in the responses.
4. Found a back-end request with end-point setPasswordCognitoAdmin which uses Username hash and password value to change the password of the user.
5. I have chained both the vulnerabilities to increase the finding severity and achieved Zero-click Account Takeover.
Thanks for reading.
Looking for an entry-level Penetration Testing role, please feel free to reach me over LinkedIn to discuss regarding any openings.
Bengali (Bangladesh) · 
English (United States) ·