• Account TakeOver Using IDOR (ZeroCopter)

    Hello Buddies,
                            Hope You Guys Are doing.I am really a noobish Guy named Abdulwahab Khan.In That Article i want to share a PoC Of one of My Findings in Private Programs At ZeroCopter.
    So without Wasting Time Lets Move Forward Towards The Actual PoC.While Testing the Program i dont find any Thing On their Main Website Expect of 2 3 Low Impact Bugs Which i dont Reported Because i knows They are Going to be Duplicate.So I again Looked in to The Bounty Brief And See an Secondry Website So just Started testing It too.After Completing Account Registration i just went to the Account Details for Test of XSS and CSRF Types Attack.Unfortunately they Are Using Good WAF Protection for XSS then i Tried for CSRF attack.The Request Looks Like

    Now there 2 Things That are Seems To be Interesting  CustomerAccount.CustomerId and _RequestVerificationToken
    Now I Tried Removing _RequestVerificationToken and Forwarded the Request And It Changed my Profile Settings without validiating Verification Token.

    I was Like:

    After that i Quickly Created a New Account with another Email address and Captured its Request of changing profile Removed _RequestVerificationToken and Changed it customerId to my old Account and forwarded the request.

    Response is :
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: application/json; charset=utf-8
    Request-Context: appId=cid-v1:6179475f-85be-4c05-84ee-87e58617700f
    X-Frame-Options: DENY
    X-XSS-Protection: 1; mode=block
    X-Content-Type-Options: nosniff
    Date: Fri, 19 july 2019 10:01:31 GMT
    Connection: close
    Content-Length: 32

    "Your profile has been updated."
    Now its time to test that is it really updated on my account and my profile is updated.
    That Moment i was:
    After Few Moments of happiness i realized how can an attacker exploit it if he dont knows the Victim CustomerID. Then I Started Finding CustomerID by testing API's and JSON Files but Failed Then i was like :

    Then i logged out My account but saw a Unsubscribe Button i just Cliked it and it is only asking For Email i said ok Lets Check it when i entered email and Clicked UnSubscribe me from Updates a pop up appeared asking for password I See on BurpSuite and there is the Customer ID
    Now i have a Full Scenario of Account takeover by knowing Email of victim.
    Using following Steps
    1. Get CustomerID by Unsub Button
    2. Change email using IDOR
    3. Request a new Password on New Email
    4. BOOOM!
    ZeroCopter TimeLine :
    • Reported 19 July 2019
    • Accepeted By ZeroCopter Team 19 july 2019
    • working in Progress 22 july 2019
    • Asked for retest 26 July 2019
    • Marked as Resolved 26 July 2019
    • Recieved Bounty in my btc wallet 27 July 2019

    Abdulwahab Khan
    Independent Cyber Security Researcher.

    Powered by Blogger.