A Small Tale of Account Takeover …
In order to implement a proper user management system in view of security, systems integrate a Change Password service that allows the user to change the existing password. Even though this functionality looks straightforward and easy to implement, it is a common source of vulnerabilities.
During My Recent Pentest Engagement, I was able to takeover any user’s and vendor’s account. The Application had two users — Normal user and Vendor (High Privileged). I will refer the URL as https://uat-example.com . By signing in and choosing Change Password Functionality we land onto a page depicted below:
Now as demonstrated, enter some random characters into “Old Password” Field. Enter new password into remaining fields and capture the request into Burpsuite.
Now as you can see, I have entered random characters into “Old Password” Field. By capturing response into Burpsuite, I manipulated response from “Incorrect Old Password” to “Success”.
After forwarding the response, the application accepted it and changed the password successfully.
But now you will ask me that this vulnerability clearly requires authenticated user then how you are able to takeover anyone’s account? Well, if you have already observed the Cookie Parameter in Request captured into Burpsuite then you my friend, you got that !
For Newbies, there’s a cookie parameter which consists of cookie value and user-number (Base64 Encoded) which we can iterate or simply enumerate and can takeover anyone’s account. That’s it !!!
Note: Here the cookie value was not expiring after usage, so it was simply generating some random values and the server was accepting the same numerous times.
Preventive Measures :
There is no definitive “best way” to do this, and what is appropriate will vary hugely based on the security of the application, and also the level of control over the users. Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.
Thanks for reading ! Hope you gained some knowledge from this one. Take Care and until the next one, Ciao !