Account Take Over by Response Manipulation

Hi all I hope everyone is doing well. This writeup is all about account take Over vulnerability by manipulating the login response.

Technical information

I have been testing for bugs in responsible disclosure programs and as usual I found a program and read all of their rule of engagements and finally decided to check.

Let’s consider the target as target.com which is a online platform to make payments, order foods and etc.

I quickly signed up with necessary informations Account 1 (abc@gmail.com) as below,

signup page

After signed_up the application sent an confirmation link to the given email and I verified the email and it directed to the account settings page. I decided to logout and login again to observe how the application is handling the login request.

login page

I figured out that the application is using an API to authenticate the user so I intercepted the request and observe how the API handles the login process.

Login request and response of abc@mail.com

I observed that the signup and login responses are similar but some different changes so I decided to manipulate the login response with signup response. I quickly logged out and created another account and captured the signup response of Account 2 (xyz@gmail.com).

It’s a go time…

Again Logged_in with Account 1(abc@gmail.com) same email ID but different password,

login again

Intercepted the login request as below

Login request of Account 1 (abc@gmail.com)

and applied do -> intercept this request -> response in burp suite proxy and changed the response 401 Unauthorized of login response

401 Unauthorized

into Account 2 (xyz@gmail.com) signup response with 200 OK.

200 OK signup response of Account 2 (xyz@gmail.com)

and changed the email parameter in the response to Account 1 (abc@gmail.com) email ID and forwarded all the request.

Account 1 (abc@gmail.com) settings page

It quickly directed me into Account 1(abc@gmail.com) settings page now I successfully logged into Account 1(abc@gmail.com) without password by manipulating the login response into signup response.

Thanks for reading.

Follow me on Twitter : thevillagehacker

Security Researcher | Security Engineer | Security Nerd…