Account Takeover Using ID Values

By

In this article, we are going to learn about the account takeover using ID values. First we will discuss something about the account takeover theory, then we deep dive into practical.

Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Ethical Hacking, Security and Penetration Testing. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking.

What is Account Takeover?

  • Account Takeover (ATO) is a form of identity theft where a fraudster illegally uses bots or manually to get access to a victim’s bank, e-commerce site, or other types of accounts. 
  • A successful account takeover attack leads to fraudulent transactions and unauthorized shopping from the victim’s compromised account.  

Account Takeover Methods:

  • Credential Cracking 
  • Using UserID's stuffing
  • Using OTP Bypass
  • Using 2FA Logic Flaw

In this articles, we will discuss about the Account Takeover using UserID's.

Practical:

  • Target Web Application: OWASP JUICE SHOP
  • Target User : raju@gmail.com 
  • Attacker : attacker@gmail.com

 

 

Step 1:

  • Open OWASP Juice Shop.
  • Create two accounts ( i.e., normal user, attacker).


 

Step 2:

  • Login into normal user.


 

  • Add some products to basket/cart.

 

Step 3:

  • Now click on the basket, you will see products that are added recently.

 

  • Right click on the page, then click on inspect element a dock will be opened. 

 

  • In that dock click on storage tab, session storage, you will get bid (i.e., basket ID) keep a note of this value. For me it is 12.

  • Now logout from raju account.

 

Step 4:

  • Login into attacker account.

 

  • Goto Basket page, here no products in basket.
  • Right click on the page, then click on inspect element a dock will be opened.

 

  • In that dock click on storage tab, session storage, you will get bid (i.e., basket ID) value. For me it is 10.

 

  • Now replace the bid value (i.e., 10) with raju's bid value (i.e., 12) and refresh the page.

  • Boom, here we got raju's basket in attacker account.

Mitigation:

  1. Don't rely on the client, validation at server side is required.
  2. Use Authentication based on strong Tokens JWT mechanism.
  3. Use encryption to encrypt data, which can be AES for example.


Be Aware, Be Secure.

Thank You 🙏



I'm a Cyber Security professional with expertise in Network, Application, Endpoint, Cloud Security, DevOps, and IT Ops. I have experience in various industries and am well-versed in relevant regulations and standards. My goal is to provide exceptional security solutions that protect organizations from evolving threats, while also streamlining workflows and improving collaboration between development, operations, and security teams through DevOps and IT Ops practices.

Comments

Post a Comment

Popular posts from this blog

Demo 1- How to Track Location by a Link

By
Image
↑ GPS: GPS stands for Global Positioning System . The Global Positioning System, originally NAVSTAR GPS, is a satellite-based radionavigation system owned by the United States government and operated by the United States Air Force. It is a global navigation satellite system (GNSS) that provides geolocation and time information to a GPS receiver anywhere on or near the Earth where there is an unobstructed line of sight to four or more GPS satellites. Obstacles such as mountains and buildings block the relatively weak GPS signals. Locator v1.0: Locator is a tool developed by "thelinuxchoice".This tool is implemented in Shell Scripting. This tool is implemented in Shell Scripting. Geolocator, Ip Tracker, Device Info by URL (Serveo and Ngrok). It uses tinyurl to obfuscate the Serveo link. Disclaimer:  Usage of Locator for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable lo
Read more

Snyk - Ubuntu 20.04 (Linux)

By
Image
In this article, we are going to learn about Snyk, features, and hands-on demo on how to install, usage and uninstall on Ubuntu 20.04(Linux).   Disclaimer:   The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Cyber Security, Ethical Hacking,  Software Development and  IT Operations. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking. Table of Content What is Snyk ?   Jump to Features   Jump to Hands-On   Jump to Requirements   Jump to Download   Jump to Install   Jump to Usage   Jump to Uninstall    Jump to Cheat Sheet    Jump to    What is Snyk ?  Snyk is a developer security platform for securing code , dependencies , containers , and infrastructure as code .  Integra
Read more

Cracking VNC Password Using Hydra

By
Image
Today we are going learn how to crack the password of VNC service using Hydra Tool.  Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Ethical Hacking, Security and Penetration Testing. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking. What is VNC? Virtual Network Computing ( VNC ) is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol ( RFB ) to remotely control another computer.  What is Hydra? Hydra is a parallelized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, i
Read more