Day 60/100 Hack and Improvement

1 minute read

Day 60 comes with two account take overs from F1ras Fatnassi and Swapnil Maurya. Write ups are a huge contribution to the community which allows more people to learn and get a better approach of their targets. Thanks!

Take Over Any Account via the Password Reset Functionality.

From Rajesh Ranjan. Here is the link of the article. Big congrats to F1ras Fatnassi

IDOR to Account Take Over

Account take overs have become an interesting approach lately. It seems very interesting how people can achieve this in different ways. In past blogs, we have talk about “cool forgotten password functions” back then in day 21, but this time Swapnil Maurya has an interesting logic approach at the time to use the “password reset” function. You can find his full write up here, in CoffeeJunkie’s site we’ll explain it briefly.

Into the IDOR

Swapnil Maurya at the time to test the “forgot password” function, found out simple parameters which can be manipulated in the following ways.

  1. The attacker receives the “Reset Password” token.
  2. The attacker intercepts the POST request containing the following parameters in JSON format {“email”:”attacker_account@test.com”,”password”:”new_passwd”,”confirmPassword”:”new_passwd”}
  3. As you can see, there is a manipulable parameter which is email, therefore the attacker proceeds to edit the parameters in the following way: {“email”:”victim_account@test.com”,”password”:”new_passwd”,”confirmPassword”:”new_passwd”} The attacker has changed the parameter email by just changing the attacker’s email by the victim’s email. Therefore, Swapnil Maurya has achieved sucessfully to change the victim’s email.

Takeaway: Swapnil Maurya just gave us an example of thinking outside the box and catching logical flaws such as this IDOR.

Leave a comment