Hello,This is me!

Abdul Wahab

A Security Engineer Bug Bounty Hunter Synack Red Team Member

Friday, 2 August 2019

Account TakeOver Using IDOR (ZeroCopter)



Hello Buddies,
                        Hope You Guys Are doing. I am really a noobish guy named Abdulwahab Khan. In That Article, I want to share a PoC Of one of My Findings in Private Programs At ZeroCopter.
So without Wasting Time Lets Move Forward Towards The Actual PoC. While Testing the Program I don't find Thing On their Main Website Except for 2 3 Low Impact Bugs Which I don't Report Because I know They are Going to be Duplicate. So I again Looked into The Bounty Brief And See a Secondary Website So just Started testing It too. After Completing Account Registration I just went to the Account Details for Test of XSS and CSRF Types Attack. Unfortunately, they Are Using Good WAF Protection for XSS then I Tried for a CSRF attack. The Request Looks Like


CustomerAccount.CustomerId=4884c354-5c06-4014-8cdb-978aa7d4fd08&CustomerAccount.FirstName=Abdulwahab&CustomerAccount.LastName=Khan&CustomerAccount.Email=hackertabish786%40bugcrowdninja.com&CustomerAccount.Phone=&profileBirthDate=&myAccountSubscribe=on&profileSignUpDailyDeals=on&__RequestVerificationToken=XdRptyf0jaMfI0VqnRHh7b0g-qo7M420BfdrssU8gNf_md6n4_himhPVpUDn3hYjMmqrqq3cWqE5Znlv7oMRwPtrve5tZ80baAZvzg4Y1NCYCvZqyHc_9nJBcSQt3XTK_rbQ1itYopth1T6eM6H7Cg2
Now there 2 Things That are Seems To be Interesting  CustomerAccount.CustomerId and _RequestVerificationToken
Now I Tried Removing _RequestVerificationToken and Forwarded the Request And It Changed my Profile Settings without validating Verification Token.

I was Like:

After that, I Quickly Created a New Account with another Email address and Captured its Request of changing profile Removed _RequestVerificationToken and Changed it customerId to my old account, and forwarded the request.

Response is :
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Request-Context: appId=cid-v1:6179475f-85be-4c05-84ee-87e58617700f
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Date: Fri, 19 july 2019 10:01:31 GMT
Connection: close
Content-Length: 32

"Your profile has been updated."
Now it's time to test that is it really updated on my account and my profile is updated.
That Moment i was:
After Few Moments of happiness, I realized how can an attacker exploit it if he dont knows the Victim CustomerID. Then I Started Finding CustomerID by testing API's and JSON Files but Failed Then i was like :

Then i logged out My account but saw a Unsubscribe Button i just Cliked it and it is only asking For Email i said ok Lets Check it when i entered email and Clicked UnSubscribe me from Updates a pop up appeared asking for password I See on BurpSuite and there is the Customer ID
Now i have a Full Scenario of Account takeover by knowing Email of victim.
Using following Steps
  1. Get CustomerID by Unsub Button
  2. Change email using IDOR
  3. Request a new Password on New Email
  4. BOOOM!
ZeroCopter TimeLine :
  • Reported 19 July 2019
  • Accepeted By ZeroCopter Team 19 july 2019
  • working in Progress 22 july 2019
  • Asked for retest 26 July 2019
  • Marked as Resolved 26 July 2019
  • Recieved Bounty in my btc wallet 27 July 2019

Regards,
Abdulwahab Khan
Independent Cyber Security Researcher.

Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna Veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat.

2 comments:

SEND ME A MESSAGE

Search

Hi There, I am

Instagram

About Me

My photo
Turning my passion into my professional life. Love to break road and dig deeper as much as possible. Believe in no system is secure. Acknowledged by Google,Facebook,Paypal,Twitter and 250+ tech giants.

About Me

Social media

Flickr

Popular Posts