mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-24 03:53:29 +00:00
151 lines
7.9 KiB
Markdown
151 lines
7.9 KiB
Markdown
|
# Account Takeover
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
## **Authorization Issue**
|
||
|
|
||
|
The email of an account should be attempted to be changed, and the confirmation process **must be examined**. If found to be **weak**, the email should be changed to that of the intended victim and then confirmed.
|
||
|
|
||
|
## **Unicode Normalization Issue**
|
||
|
|
||
|
1. The account of the intended victim `victim@gmail.com`
|
||
|
2. An account should be created using Unicode\
|
||
|
for example: `vićtim@gmail.com`
|
||
|
|
||
|
As explained in [**this talk**](https://www.youtube.com/watch?v=CiIyaZ3x49c), the previous attack could also be done abusing third party identity providers:
|
||
|
|
||
|
* Create an account in the third party identity with similar email to the victim using some unicode character (`vićtim@company.com`).
|
||
|
* The third party provider shouldn't verify the email
|
||
|
* If the identity provider verifies the email, maybe you can attack the domain part like: `victim@ćompany.com` and register that domain and hope that the identity provider generates the ascii version of the domain while the victim platform normalize the domain name.
|
||
|
* Login via this identity provider in the victim platform who should normalize the unicode character and allow you to access the victim account.
|
||
|
|
||
|
For further details, refer to the document on Unicode Normalization:
|
||
|
|
||
|
{% content-ref url="unicode-injection/unicode-normalization.md" %}
|
||
|
[unicode-normalization.md](unicode-injection/unicode-normalization.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
## **Reusing Reset Token**
|
||
|
|
||
|
Should the target system allow the **reset link to be reused**, efforts should be made to **find more reset links** using tools such as `gau`, `wayback`, or `scan.io`.
|
||
|
|
||
|
## **Pre Account Takeover**
|
||
|
|
||
|
1. The victim's email should be used to sign up on the platform, and a password should be set (an attempt to confirm it should be made, although lacking access to the victim's emails might render this impossible).
|
||
|
2. One should wait until the victim signs up using OAuth and confirms the account.
|
||
|
3. It is hoped that the regular signup will be confirmed, allowing access to the victim's account.
|
||
|
|
||
|
## **CORS Misconfiguration to Account Takeover**
|
||
|
|
||
|
If the page contains **CORS misconfigurations** you might be able to **steal sensitive information** from the user to **takeover his account** or make him change auth information for the same purpose:
|
||
|
|
||
|
{% content-ref url="cors-bypass.md" %}
|
||
|
[cors-bypass.md](cors-bypass.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
## **Csrf to Account Takeover**
|
||
|
|
||
|
If the page is vulnerable to CSRF you might be able to make the **user modify his password**, email or authentication so you can then access it:
|
||
|
|
||
|
{% content-ref url="csrf-cross-site-request-forgery.md" %}
|
||
|
[csrf-cross-site-request-forgery.md](csrf-cross-site-request-forgery.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
## **XSS to Account Takeover**
|
||
|
|
||
|
If you find a XSS in application you might be able to steal cookies, local storage, or info from the web page that could allow you takeover the account:
|
||
|
|
||
|
{% content-ref url="xss-cross-site-scripting/" %}
|
||
|
[xss-cross-site-scripting](xss-cross-site-scripting/)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
## **Same Origin + Cookies**
|
||
|
|
||
|
If you find a limited XSS or a subdomain take over, you could play with the cookies (fixating them for example) to try to compromise the victim account:
|
||
|
|
||
|
{% content-ref url="hacking-with-cookies/" %}
|
||
|
[hacking-with-cookies](hacking-with-cookies/)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
## **Attacking Password Reset Mechanism**
|
||
|
|
||
|
{% content-ref url="reset-password.md" %}
|
||
|
[reset-password.md](reset-password.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
## **Response Manipulation**
|
||
|
|
||
|
If the authentication response could be **reduced to a simple boolean just try to change false to true** and see if you get any access.
|
||
|
|
||
|
## OAuth to Account takeover
|
||
|
|
||
|
{% content-ref url="oauth-to-account-takeover.md" %}
|
||
|
[oauth-to-account-takeover.md](oauth-to-account-takeover.md)
|
||
|
{% endcontent-ref %}
|
||
|
|
||
|
## Host Header Injection
|
||
|
|
||
|
1. The Host header is modified following a password reset request initiation.
|
||
|
2. The `X-Forwarded-For` proxy header is altered to `attacker.com`.
|
||
|
3. The Host, Referrer, and Origin headers are simultaneously changed to `attacker.com`.
|
||
|
4. After initiating a password reset and then opting to resend the mail, all three of the aforementioned methods are employed.
|
||
|
|
||
|
## Response Manipulation
|
||
|
|
||
|
1. **Code Manipulation**: The status code is altered to `200 OK`.
|
||
|
2. **Code and Body Manipulation**:
|
||
|
* The status code is changed to `200 OK`.
|
||
|
* The response body is modified to `{"success":true}` or an empty object `{}`.
|
||
|
|
||
|
These manipulation techniques are effective in scenarios where JSON is utilized for data transmission and receipt.
|
||
|
|
||
|
## Change email of current session
|
||
|
|
||
|
From [this report](https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea):
|
||
|
|
||
|
* Attacker requests to change his email with a new one
|
||
|
* Attacker receives a link to confirm the change of the email
|
||
|
* Attacker send the victim the link so he clicks it
|
||
|
* The victims email is changed to the one indicated by the attacker
|
||
|
* The attack can recover the password and take over the account
|
||
|
|
||
|
This also happened in [**this report**](https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea).
|
||
|
|
||
|
### Old Cookies
|
||
|
|
||
|
As explained [**in this post**](https://medium.com/@niraj1mahajan/uncovering-the-hidden-vulnerability-how-i-found-an-authentication-bypass-on-shopifys-exchange-cc2729ea31a9), it was possible to login into an account, save the cookies as an authenticated user, logout, and then login again.\
|
||
|
With the new login, although different cookies might be generated the old ones became to work again.
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)
|
||
|
* [https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea](https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea)
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|