Exploiting Business Logic to Account Takeover
Hello guys.. Hope everyone is safe in this pandemic period. Its been a long since I posted any article. So, now I’m back with my first blog on Bug Bounty. This blog covers the writeup of the vulnerability which I found some time ago. Definition of Vulnerabilities according to OWASP:
Business Logic Vulnerability:
Business logic vulnerabilities are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.
Cross-site Request Forgery (CSRF):
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
I always like to hunt for business logic flaws along with technical vulnerabilities because these vulnerabilities can be chained for the Higher Impact on the Target. This time I went with one Responsible Disclosure Program. Started with some initial recon. As usual I started looking for business logic bug.
After Spidering the target, I created an account and logged inside to dig more about the target by intercepting its various requests. While intercepting the end points, I found the target is vulnerable with Cross-Site Request Forgery but I’ve to dig more to increase the impact on the target. When I opened the User Profile Dashboard to change the User’s Credentials, It was asking for Old Password.
On every sensitive action of user, it was asking for the password. I was like.. “What I can Do now?”. After Taking a break, I again went to check Spider Result and came up with an interesting end point which I intercepted earlier. I created one more account and Opened the User Profile Dashboard. Application threw a popup asking me to set New Password. But This time without asking for the old one.
I again logged in the previous account which I created earlier to check whether the same popup is thrown or not. But, Surprisingly it was not.
So, Logic behind this was “When a user goes to Profile Dashboard for the first time, application asks the user to set New Password. Once Password is set then application asks for the Old Password to change Existing Password”
So, Now we have the other key of Door i.e. “Using this Set New Password feature to change the password for the existing users through CSRF”. Intercepted the Set New Password Request in BurpSuite. As we found earlier, there’s no CSRF Protection on the target. So quickly generated the CSRF PoC.
Then went back to the existing user and fired the CSRF link. And Here we Go..!!!
THE PASSWORD CHANGED SUCCESSFULLY.
Logged out and cross-checked if the User was logging in with the New Credentials and YESS!!!.. We Successfully Logged in with the New Password. Therefor, now we can Takeover anyone’s account with these vulnerabilities.
