Account Take Over by Response Manipulation

Hi all I hope everyone is doing well. This writeup is all about account take Over vulnerability by manipulating the login response.

Technical information

I have been testing for bugs in responsible disclosure programs and as usual I found a program and read all of their rule of engagements and finally decided to check.

Let’s consider the target as target.com which is a online platform to make payments, order foods and etc.

I quickly signed up with necessary informations Account 1 (abc@gmail.com) as below,

signup page

After signed_up the application sent an confirmation link to the given email and I verified the email and it directed to the account settings page. I decided to logout and login again to observe how the application is handling the login request.

login page

I figured out that the application is using an API to authenticate the user so I intercepted the request and observe how the API handles the login process.

Login request and response of abc@mail.com

I observed that the signup and login responses are similar but some different changes so I decided to manipulate the login response with signup response. I quickly logged out and created another account and captured the signup response of Account 2 (xyz@gmail.com).

It’s a go time…

Again Logged_in with Account 1(abc@gmail.com) same email ID but different password,

login again

Intercepted the login request as below

Login request of Account 1 (abc@gmail.com)

and applied do -> intercept this request -> response in burp suite proxy and changed the response 401 Unauthorized of login response

401 Unauthorized

into Account 2 (xyz@gmail.com) signup response with 200 OK.

200 OK signup response of Account 2 (xyz@gmail.com)

and changed the email parameter in the response to Account 1 (abc@gmail.com) email ID and forwarded all the request.

Account 1 (abc@gmail.com) settings page

It quickly directed me into Account 1(abc@gmail.com) settings page now I successfully logged into Account 1(abc@gmail.com) without password by manipulating the login response into signup response.

Thanks for reading.

Follow me on Twitter : thevillagehacker

--

--

--

Security Researcher | Security Engineer | Security Nerd…

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Most Common Attacks On WordPress Sites And How To Prevent Them

Is That The Phone I Hear?

Omm community airdrop

NFTsnapback New Update.

Malicious application can hack your computer.

NFTsnapback Launch Update.

HTB’s Heist:A Walkthrough

How to Build a Secure Messaging App Like Signal?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Naveen J

Naveen J

Security Researcher | Security Engineer | Security Nerd…

More from Medium

Offensive-security | Proving grounds : wpwn

How to "Hack" more than 1000 databases (TSDB) in 48 hours and for less than 5 USD

This is how I can Turn Off Your Post Notification

SSL Pinning Bypass With Objection