Account Takeover Using ID Values
In this article, we are going to learn about the account takeover using ID values. First we will discuss something about the account takeover theory, then we deep dive into practical.
Disclaimer: The
articles provided on HackWithV is purely for
informational and educational purpose only, and for
those who are willing and curious to know & learn
about Ethical Hacking, Security and Penetration Testing.
Anytime the word "Hacking" that is used on this site
shall be regarded as Ethical Hacking.
What is Account Takeover?
- Account Takeover (ATO) is a form of identity theft where a fraudster illegally uses bots or manually to get access to a victim’s bank, e-commerce site, or other types of accounts.
- A successful account takeover attack leads to fraudulent transactions and unauthorized shopping from the victim’s compromised account.
Account Takeover Methods:
- Credential Cracking
- Using UserID's stuffing
- Using OTP Bypass
- Using 2FA Logic Flaw
In this articles, we will discuss about the Account Takeover using UserID's.
Practical:
- Target Web Application: OWASP JUICE SHOP
- Target User : raju@gmail.com
- Attacker : attacker@gmail.com
Step 1:
- Open OWASP Juice Shop.
- Create two accounts ( i.e., normal user, attacker).
Step 2:
- Login into normal user.
- Add some products to basket/cart.
Step 3:
- Now click on the basket, you will see products that are added recently.
- Right click on the page, then click on inspect element a dock will be opened.
-
In that dock click on storage tab, session storage, you will get bid
(i.e., basket ID) keep a note of this value. For me it is 12.
- Now logout from raju account.
Step 4:
- Login into attacker account.
- Goto Basket page, here no products in basket.
- Right click on the page, then click on inspect element a dock will be opened.
-
In that dock click on storage tab, session storage, you will get bid
(i.e., basket ID) value. For me it is 10.
- Now replace the bid value (i.e., 10) with raju's bid value (i.e., 12) and refresh the page.
- Boom, here we got raju's basket in attacker account.
Mitigation:
- Don't rely on the client, validation at server side is required.
- Use Authentication based on strong Tokens JWT mechanism.
- Use encryption to encrypt data, which can be AES for example.
Comments
Post a Comment