Exploiting Response Manipulation for Account Takeover

Hello everyone,

I’m Shubham Darmwal, and today I’m excited to share my findings on a critical vulnerability I discovered while testing a website. This marks my first article, and I welcome your feedback to help me grow as a writer.

While exploring websites for security assessment, I encountered a website that we’ll refer to as site.com. Upon reaching the login page, which required OTP verification via mobile number, I decided to investigate further.

1. Setup and Initial Login Attempt: Begin by using the attacker’s mobile number to attempt a login.

2. Capture and Intercept: Enter the attacker’s mobile number and capture the request using Burp Suite.

3. Response Inspection: Inspect the response using Burp Suite to find the attacker’s customer ID reflected in the request response.

4. Enter OTP: Enter the OTP received and again capture the request using Burp Suite.

4. Exploiting Customer ID Manipulation: Manipulate the customer ID parameter in the intercepted response.

Change the attacker’s customer ID to the victim’s customer ID and forward the modified request.

5. Successful Account Takeover: The attacker is able to successfully login to the victim’s account, confirming access to sensitive information such as card details, address, email, mobile number, and the ability to place orders.

This vulnerability allows an attacker to gain unauthorized access to a victim’s account on site.com by manipulating the response to reflect the victim’s credentials after initiating the login process with their mobile number. Despite reporting this issue to the company, no response was received, underscoring the importance of vigilance in securing user data.

In conclusion, this experience highlights the critical need for robust security measures in web applications, particularly in handling user’s personal information and preventing unauthorized access. As ethical hackers and cybersecurity enthusiasts, it’s our responsibility to identify and mitigate such vulnerabilities to safeguard user privacy and trust.

Thank you for reading.

Happy learning and happy hunting!