No Rate Limit leads to Account Takeover..

Hello All,

Welcome back, How’s the hunting going on? I hope it is great.This writeup is best for beginners. So read till the end you will get an idea of account takeover attack.

The account takeover attack is not performed in a particular way, this can be performed in different ways by looking at the website functionality and how the website is working. Keep watching every particular request while testing a website or an API.

As I was testing on a website which was basically a grocery shopping web application. I created an account in that and went for the login option. While performing the login step, the website asks for email. When to entered the email address and submit the request it sends the mail which has the login link into the web application. The steps are performed every time while performing the login steps.

So I have created two accounts, one as the attacker and one as victim. My aim was to take over the victims account so I went through the login process as the attacker. I enter the email “attacker@gmail.com”which was required for login.

After submitting the requests in the attacker mailbox one mail has been received which has a link to get access to the account portal. The link was like this

http://randomdomain.com/login?code=4781792951&email=attacker@gmail.com&ect=522108-l1LGRMaVPr77-MmIxMG-137

As the website has 2 functionality which is, we can login through the link which was sent to us in mail or else we can login via entering code, the code will be the same as which was provided in the link in mail.

So to perform this attack we are not able to get a link and get access to the victims account so we will try this attack by entering the code.

The attack begins from here:

We will send a request as the attacker’s email to get a link. After we get the link we will send another request for the victims account “victim@gmail.com”. The link which is received to the victim will be for a new session.

As I said, there were 2 functions, one with a link and another with entering the code. we will go for entering code, I saw in the attacker mail that in the link the code parameter has 9 digits. It took too much time to get the correct code. So for testing purposes and to maintain the traffic of requests we will try with the code which was received for victim mail.

I enter the victims email address in email section. I copied the victim’s code and pasted it in the input section. I change the last 2 digits to 0. AS in case of an attacker the attacker can brute force for all digits and can gain access to any user’s account.

code=4781792900

While submitting the requests I intercept the request and send it to the intruder section. The request was like this as shown below.

I select the code’s last 2 digits number as we are going to attack. In the payload section I select the number as we are going through the numbers. I set the range from 00 to 99 and proceed for further.

When the intruder completes its work I saw that every request the response was “200”. So I check the length of all the requests. If the code was wrong then all request length will be the same and there will be only one code which will correct, then the response length for correct code will be different as compared to wrong.

For correct code we get response length as 140. I copied that code and pasted in the link of the attack and we will change the code and email parameter which is shown below.

http://randomdomain.com/login?code=<paste_code>&email=victims_address@gmail.com&ect=522108-l1LGRMaVPr77-MmIxMG-137

I copied the above link and pasted it in a new tab and boom I got access to the victims account. Now I can do any malicious kind of activity with the victims account.

Hope so you have understood this writeup. Keep hunting and increase your skills.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store