Response manipulation to Account takeover

3 years ago 459
BOOK THIS SPACE FOR AD
ARTICLE AD

Anon_Y0gi

Hello everyone I am back again with another blog ,in this blog i will going to tell about an easy P1 bug I encountered while hunting

Before proceeding to the reproduction phase ,we need to know a little about Authentication Bypass

So What is Auth Bypass?

Authentication Bypass is a dangerous vulnerability which is found in Web-Applications. Attackers can bypass the control mechanisms which are used by the underlying web application like OTP, Captcha, 2FA, Email verification etc.
An Attacker can perform a complete Account takeover of Victim.

So let’s proceed to the thing now

Let’s consider our target as AnonY0gi.com

It’s an ecommerce site ,so I tried to find logic flaws in payments and carts ,csrf ,xss , host header ,but didn’t get any success .One thing our target AnonY0gi.com’s Hall Of fame is a large list ,and it’s also a very old program. Hmm so things will not be easy

Ok one of the feature the site is we can login through OTP ,and also in password reset we need the right OTP to change password, so i immediately tried to bypass the OTP in login but didn’t get result

Ok now i went to Forgot password and typed my email and sent password reset OTP

Back in mailbox we get the OTP ,and after typing the write OTP I intercepted the response to that request ,and i got something interesting in the json code

The json data is like this in response

{"status":"success","user_id":80113945,"redirect":"https:\/\/www.nikallaude.com\/"}

Next i typed wrong OTP ,and also intercepted the response to this request

The json data looks like this now

{"status":"fail","errors":[{"key":"otp","value":"2899","message":"Incorrect OTP."}]}

Ok so what if I changed all this to the correct json data of previous one
I changed the status from fail to success added user_id and redirection url ,and Forward the response
And YES i am able to change the password of that user ,and we successfully bypassed OTP

OK you must be thinking but how will i get the victim user_id right? that is unknown to us ,
Fortunately I was able to bypass ratelimiting in the site ,and hence by bruteforcing we can get the right user_id

Yes I did try for IDOR by replacing the user_id with a diff account id ? Yes i did that ,but no success

Anyway I was very happy after i find such a logic flaw in the application ,I immediately reported the bug to the security team

2 days later i got this

And my heartbroke since it was my first P1 and it turned out to be a duplicate.

Anyway if you like the blog and if it is helpful for you ,like my post and follow me on twitter https://twitter.com/AnonY0gi

Good Night, Shabba Khair Kailash kher . Wish you a happy married life

Read Entire Article