Hi everyone, Do you know that an average account takeover’s bounty is $1000. And this amount can go up to $100000! Crazy right? Still, many beginners struggles to find these account takeover vulnerabilities on live websites. If you are one of those who are having a difficult time while hunting for these vulnerabilities then this article will help you to overcome these problems. So let’s start from the basics
What is an Account Takeover?
In general terms,“Account takeover is a vulnerability by which an attacker can basically hacks into every single client’s account with little to no interaction at all.”. Now you might have understood why companies pays thousands of dollars to someone who find these vulnerability. There are a lot of ways to achieve account takeovers. Some of the common cause of account takeover are Logical Bugs that are generally caused by the developers. Apart from that, we can also achieve account takeover by exploiting:
1- Cross Site Scripting.
2- SQL Injection.
3- Remote Code Execution.
4- I D O R (Indirect Object References)
In this article, we are going to cover some of the most common logical bugs to find account takeover vulnerabilities.
Different Ways to Hunt for Account Takeovers
Some of the Most common ways to find account takeover vulnerabilities are:
1- Response Manipulation Technique.
2- Abusing the Password Reset Functionality.
Now, let us understand how we can use these ways through practical examples.
The Response Manipulation Technique
This technique is mostly seen working on the O T P bypass functionality. Let’s assume that there is a website that is handling their authentication in the following manner:
1- User enters his/her credentials(Like username and password).
2- User clicks on “Login”
3- Now if the credentials are valid, then the server send “True” as a response else it will send “False”.
4- Assuming that the credentials are valid, then the server will send “True” to the Front-End.
5- The Front-End validates the response then redirects the user to their Dashboard.
Have you able to identify the bug? Think what will happen if someone modify the server’s response from “False” to “True” in step number 3? Will they get logged in to their account? Well, if the server is vulnerable then you will definitely be able to login in with wrong passwords.
To practice this vulnerability, check out our Lab over here.
To watch the walk through of the Lab, click here.
Abusing the Password Reset Functionality
One of the most common way to achieve account takeover is to abuse the password reset functionality. This can be done in many ways. Let us take the following example.
1- User A forgets his password on vulnerableweb.com
2- He then click on forgot password and provide their email address in input field.
3- After that, he receives an email on his email like this:
“Hey USER A, Click on this link to reset your password: https://vulnerableweb.com/resetpassword.php?user=userA”
4- User A clicks on the link and then typed his new credentials.
5- User A successfully reset his password.
Have you spot the Bug? Think for a minute what will happen if the user A changes his like from https://vulnerableweb.com/resetpassword.php?user=userA to https://vulnerableweb.com/resetpassword.php?user=userB? Will he able to change the password of userB? Well, he can if the website is vulnerable.
Now in many case, you will see a password reset link like this:
Most of the people will now think that this is a random value but it is still userA. The value “495f661bac0f61f6c7a4f0d6d4a0fb6b” is the md5 hashed version of “UserA”.
Therefore, it totally depends on how deep you dive into the application to find vulnerabilities. The basics always remains constant.
Check out these labs for free to increase your account takeover skills:
So, i hope you all understand some of the most logical bugs that can get you an account takeover vulnerability. Check out our cybersecurity section to learn more about Bug Bounty and Ethical Hacking.
Join our telegram community over here to learn latest trends in cybersecurity, web development etc.