Unveiling Homoglyph: Silent Culprit of User-Level DOS Attacks

8 months ago 79
BOOK THIS SPACE FOR AD
ARTICLE AD

Mohammad Musab Khan

Assalam Alaikum everyone! Today I’m excited to share my first bug bounty write-up with you. But before we dive into the technical details, let me introduce myself briefly.

I’m Mohammad Musab Khan, and I’ve been working in cybersecurity for 5 years. I specialize in bug hunting, penetration testing, and creating content in this field. One of my favorite hunting grounds is AT&T because of its wide range of opportunities and decent bounty rewards.

Join me as I take you on a journey into the exciting world of bug hunting and share insights from my experiences in cybersecurity!

I invest a lot of time in finding new or undiscovered assets. Although it takes time, this makes finding bugs easier because there’s less competition

While looking for new assets, I found my target domain with a static page. Let’s call it redacted.com

I ran ffuf on redacted.com and discovered an endpoint that includes both the registration and login pages.

ffuf -c -u "https://redacted.com/FUZZ" -r -ac -ic -w raft-large-wordlist.txt

https://redacted.com/account/my-account

At that moment, I wasn’t expecting much, but when I encountered the registration functionality, numerous test cases popped into my mind, and one of them was the Homoglyph attack.

For those of you who are not familiar with Homoglyph, here is a brief description.

Homoglyph characters are special characters or combinations of characters that look visually similar or identical to other characters, symbols, or numbers. These characters can be deceptive because they appear nearly identical to the human eye, but they represent different Unicode code points.

Homoglyphs are often used in phishing attacks, spoofing, and other malicious activities to trick users into thinking they are interacting with legitimate content or entities.

For Example
https://www.irongeek.com/homoglyph-attack-generator.php

+=======================+=======================+================================================+
| "Original Email" | "Homoglyph Email(s)" | "Differences" |
+=======================+=======================+================================================+
| musab+poc@example.com | musab+рoc@example.com | "o" replaced with Cyrillic "р" |
+-----------------------+-----------------------+------------------------------------------------+
| | musab+pоc@example.com | "o" replaced with Cyrillic "о" |
+-----------------------+-----------------------+------------------------------------------------+
| | musab+pοc@example.com | "o" replaced with Greek "ο" |
+-----------------------+-----------------------+------------------------------------------------+
| | musab+рoс@example.com | "o" replaced with Cyrillic "р" |
+-----------------------+-----------------------+------------------------------------------------ |
| | musаb+pоc@example.com | "a" replaced with Cyrillic "а" |
+-----------------------+-----------------------+------------------------------------------------+
| | musаb+pос@example.com | "a" and "o" replaced with Cyrillic "а" and "с" |
+-----------------------+-----------------------+------------------------------------------------+
| musab+poc@example.com | musab+póс@example.com | "o" replaced with Cyrillic "с" |
+-----------------------+-----------------------+------------------------------------------------+

I quickly attempted an account takeover using a Homoglyph attack generator. Here are the steps I tried and the outcome:

I attempted to create an account using the original email address:
Original email address: musab+poc@example.comNext, I tried to register the same email address using a homoglyph character:
Homoglyph email address: musab+póс@example.comUnfortunately, I was not able to create an account with the homoglyph email address because the email address is already in use.I then attempted to reset the password using the homoglyph email address “musab+póс@example.com”, but the application sent the password reset link to the original email address.

At this point, I was confident that the application was performing some kind of conversion, such as homoglyph to ASCII. This is why the password reset link was generated with the homoglyph email address “musab+póс@example.com” but sent to the original email address “musab+poс@example.com”.

It looks like the first method failed successfully! 😞

Well, Step #4 provided me with enough hints to try something else 🤔. This time, I reversed the account registration process 🔍.

I attempted to create an account using the homoglyph email address:
Homoglyph email address: musab+póс@example.comNext, I tried to register with the original email address
Original email address: musab+poс@example.comAs expected, I was not able to create an account with the Original email address because the email address is already in use because of first step.I then attempted to reset the password using the homoglyph email address “musab+póс@example.com”, but this time, I didn’t receive any password reset link on my registered email. This was very surprising, because when i tried first time, i got the password reset link on original email address.I quickly attempted to reset the password with the original email address again, but this time, I didn’t receive the password reset link on any email address.

Congratulations! 🎉👏 We’ve got something here! 😄

This behavior opens up a potential vulnerability that could be exploited by attackers to disrupt the registration and password reset process for legitimate users.
Imagine a situation where an attacker intentionally blocks users from registering or resetting passwords.

The only factor that reduces the severity of this vulnerability is that it requires the attacker to register before the legitimate user registers on the platform.

I reported this vulnerability along with the Captcha Bypass to demonstrate the impact of this vulnerability, which we will discuss another day. Until then, take care and don’t forget to follow me here. 😊

You can also reach out to me via email at musabkhan.queries@gmail.com

Youtube: https://www.youtube.com/musabkhan
Linkedin: https://www.linkedin.com/in/musab1995/
Twitter: https://twitter.com/Musab1995
Facebook: https://www.facebook.com/imusabkhan
Github: https://github.com/imusabkhan/
Instagram: imusabkhan

Read Entire Article