Account Take Over by Response Manipulation
Hi all I hope everyone is doing well. This writeup is all about account take Over vulnerability by manipulating the login response.
I have been testing for bugs in responsible disclosure programs and as usual I found a program and read all of their rule of engagements and finally decided to check.
Let’s consider the target as
target.com which is a online platform to make payments, order foods and etc.
I quickly signed up with necessary informations
Account 1 (email@example.com) as below,
After signed_up the application sent an confirmation link to the given email and I verified the email and it directed to the account settings page. I decided to logout and login again to observe how the application is handling the login request.
I figured out that the application is using an API to authenticate the user so I intercepted the request and observe how the API handles the login process.
I observed that the signup and login responses are similar but some different changes so I decided to manipulate the login response with signup response. I quickly logged out and created another account and captured the signup response of
Account 2 (firstname.lastname@example.org).
It’s a go time…
Again Logged_in with
Account 1(email@example.com) same email ID but different password,
Intercepted the login request as below
do -> intercept this request -> response in burp suite proxy and changed the response
401 Unauthorized of login response
Account 2 (firstname.lastname@example.org) signup response with 200 OK.
and changed the email parameter in the response to
Account 1 (email@example.com) email ID and forwarded all the request.
It quickly directed me into
Account 1(firstname.lastname@example.org) settings page now I successfully logged into
Account 1(email@example.com) without password by manipulating the login response into signup response.
Thanks for reading.
Follow me on Twitter : thevillagehacker