Account Takeover [Via Broken Access Control]
Hi Friends!
I have come across Account Takeover bug many times by exploiting different loopholes. Earlier to this blog I have shared “How I was able to perform Account Takeover of Super Admin account by taking advantage of Forgot Password Functionality?”.
If you haven’t read it yet, please do visit below URL:
In this blog, I have explained How I was able to perform account takeover via Broken Access Control. For security purpose let’s not disclose name of actual vendor and let’s masked it with redacted.com as usual.
Below is the complete POC along with screenshots captured throughout the exploitation.
- Login to the application using given account qa_admin@redacted.com and visit Email and mobile registration page.
2. Capture the request in Proxy tools and you will get following URL
https://redacted.com/sendMobileVerification?userId=527578&orgId=520
3. Logout the Current User and copy the URL and paste it into new incognito window where user is not authorized to login. You will get following page which does not ask unauthorized user for authentication and serve given page.
4. Attacker change the mobile number to its own mobile number and click on verify button to receive OTP.
5. Attacker Entered received OTP and clicked on Submit button.
6. Notice, message stating Mobile number verified successfully.
7. Now visit Forgot password page by clicking on Trouble in logging link button.
8. Fill the details and click on Send OTP to reset password button. Attacker entered same Email-ID which they have got while accessed unauthenticated page and select OTP and click on Submit button.
9. Notice, Attacker has redirected to Reset password page successfully.
10. Attacker can enumerate UserId and OrgId using proxy tool to get access to other users UserId and OrgId.
Impact:
Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. These checks are performed after authentication and govern what ‘authorized’ users can do. Access control sounds like a simple problem but is insidiously difficult to implement correctly. A web application’s access control model is closely tied to the content and functions that the site provides. In addition, the users may fall into several groups or roles with different abilities or privileges.
Here, we are dealing with Admin users where by accessing sensitive function without authentication, which is responsible for registering users email and mobile can lead to account takeover by reproducing simple steps.
This weakness can lead to the exposure of resources or functionality to an unauthorized user, possibly providing attackers with sensitive information or even the ability to execute sensitive functionality. Also, it is difficult to keep a track of the activities performed in the application where the user can do so without proper authentication.
In this case, Attacker can easily takeover other users account and perform unauthorized action against authenticated users. This has huge impact on application admin users as well as reputational damage of an organization.
Remediation:
The application should implement a proper access control framework that ensures critical data and functionality is identified and a proper access control matrix is defined based on least privilege and segregation of duties.
Access to data and functionality should be provided only in line with the above access control matrix. Session management should ensure that the user’s session is checked to determine the access level granted to the user and only then the data/functionality is made accessible to the user.
Kindly, perform authentication when any users with malicious mind try to access Email and verification page without authentication. Keep all sensitive pages or private pages into folder which first ask users to validate themselves with application before accessing them.
References:
OWASP Top 10: Broken Access Control
This is my Tenth(10th) blog in whole and (2nd) blog on Account Takeover using different techniques.
Please do like and follow for more reads on Application Security Testing blogs.
Thanks!
