User Account Takeover via Reset Password Functionality

Hey Guys,

One more interesting blog explaining an interesting vulnerability that I have found recently in one of the Mobile Wallet Companies of India.

To login into any online website , we need to have an username which can be users registered mail id and password that he has set for it and if he doesn't remember his password, there is a Reset Password Feature which comes to help. While researching out for the vulnerability around this feature , I found a logical flaw by which I was able to reset any user password and login with the same to takeover his complete account. 

Let's now enter into the explanation-

1. When I clicked on Reset password functionality for the account "testaccount09@gmail.com", received a mail saying "To reset the password , please click on the below link-" and the link was something - 

 http://www._________.com/account/resetpassword/ id=296417 token=dGVzdGFjY291bnQwOUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ==  

2. Here 'id' is the identification number associated with the user account and 'token' is the base64 decoded registered mail ID of the user which here is "testaccount09@gmail.com" and 'vit' is the base64 decoded time stamp whose value in this case is "2016/10/25"
        

3. Researching more, I have found that the timestamp parameter is the expiry date of the reset password link which was here 2 days from the time user clicked on reset password.

4. Now comes the step of compromising user account. What I did is that I replaced the mail id of the user and encoded it to base64 in the reset password link and keep the timestamp value to 2 days ahead of the current date.

          Victim mail id - varun09811@gmail.com

          Base64 encoded value  (Parameter = token)                                                     - dmFydW4wOTgxMUBnbWFpbC5jb20=

          Timestamp value (Parameter = vit) - MjAxNi8xMC8yNQ= 

     

5. The tricky part comes here is to find "id" associated with that particular user mail id. Since it's a 6 digit code so I tried brute forcing it via a python script and after a while, I found the right id associated with the victim mail id which happens to be id=254346 .( yes, this is something time consuming ).

6.  So the tampered URL is - 

http://www._________.com/account/resetpassword/?id=254346&       token=dmFydW4wOTgxMUBnbWFpbC5jb20=&vit=MjAxNi8xMC8yNQ=

I loaded the link in the browser, set the new password for it! and I was successfully able to login into his account. I had the complete access to his account, can use his wallet money , change registered mobile number and everything!

I reported this vulnerability to the concerned enterprise, and they were quick to patch it within 2 days.I thank the company for the small token of appreciation :) 

That's all about it! 

Do share your feedback.

Thanks

~logicbomb

Database Compromised via Manual SQL Injection

Hi Guys,

Recently while hunting for bug bounty, I was able to crack a website database using one of the most common vulnerabilities and yet the most severe - SQL Injection. I found this highly critical vulnerability in India's biggest "Online Job and test portal".

Let's have a quick review about SQL Injection-

Websites often use databases at the backend to store and manage large amounts of information. The de-facto standard language for querying databases is SQL. Web applications often take user input (taken out of the HTTP request) and incorporate it in an SQL query, which is then sent to the backend database. The query results are then processed by the application and sometimes displayed to the user.

By exploiting this vulnerability, an attacker can directly pass malicious queries and inputs to the database and interpret the responses from the database. It allows an attacker to read, write, modify or delete information stored within the database along with sometimes gaining system level access to the underlying operating system.

In the instances below, the affected parameters were passing user input directly to the back-end database without proper validation. Because of this, it is possible to insert malicious data into these fields to not only cause errors but also to gain complete access to the database. On successful exploitation of the vulnerability, an attacker would have access to Read, Write and Modify any data stored within the database.

Now lets jump into its POC-

I was able to detect the SQL injection in of the parameters via Blind SQL Payload.

vulnerable_parameter= ' and sleep(2) 

Note- sleep() - as the backend database was MySQL.

I found that as I change the value of sleep function, the same time the HTTP request takes to response means the page gets loaded after that particular time. In this case by keeping it 2 second , the response time of the HTTP request was 2 sec and when I changed it to sleep(10), the response it took was 10sec approx. This was the confirmation for me that SQL Injection exists and the parameter is vulnerable to Blind SQL Injection. Now the next step is to find all database related info along with database tables.

Now to find database username , I created the following payload-

(select%20*%20from(select(if(substring(user(),1,3)=%27pea%27,sleep(5),%27b%27)))a)---

This will check whether the third character of database username is 'a' on the basis of time taken for HTTP response as I used the same blind sql injection technique (sleep()). So by using this technique , I move one by one character to find the complete username.

Now to find table names, the payload used was-

substring((Select table_name from information_schema.tables where table_schema=database() limit 0,1)=%27a*27,sleep(5),%27b%)))---

Similarly like above, it will check for each character in table name in the current database one by one (by changing the value) with the response time of 5 sec. Now once you get a name of a table, the next step is to find column name-

Suppose the table name we get is "users".

substring(select column_name from information_schema.columns where table_schema=database() and table_name='users' and column_name like '%u%' limit 0,1)=%27a*27,sleep(5),%27b%)))---

This will test whether the column name starts with 'u' for the table name "users" under the current database. If its true then page load after 5 sec.
and now comes the last thing to dump the table contents-

Here "column_name" will be replaced by the column that were fetched by above payloads.

(select 1 from dual where (select * from users where "column_name" like '%a%' limit 0,1)=%27a*27,sleep(5),%27b%)

Further this can be automated by a simple python script.

I reported this vulnerability and it was soon patched by the concerned enterprise in one week.
This is all about this hack! One of the most common and the most sever kind of vulnerability.

Do share your feedback and queries. 

Thanks.

Local File Inclusion Attack

Hi Guys,

Back with one more vulnerability technique "Local File Inclusion" attack. With this attack, I was able to get the complete source code of the application and the API keys of the victim enterprise.

I have found this vulnerability in India's largest online health platform website.

Let's have a look at the vulnerability-

A file inclusion vulnerability allows an attacker to access unauthorized or sensitive files available on the web server or to execute malicious files on the web server. This vulnerability occurs when a user input contains the path to the file that has to be included. When such an input is not properly sanitized, the attacker may give some default file names and access unauthorized files, or an attacker may also make use of directory traversal characters and retrieve sensitive files available in other directories. Local File Inclusion (LFIs) allow an attacker to read and sometimes execute files on the victim machine. This can be very dangerous because if the web server is misconfigured and running with high privileges, the attacker may gain access to sensitive information. If the attacker is able to place code on the web server through other means, then they may be able to execute arbitrary commands.

By this vulnerability, I was able to read all the files including source code of the application and sensitive files like webconfig where I got APIs key of mail server, sms, payment gateway etc and further I was also able to use mail server key to send mail from enterprise mail server and were able to even send sms using the sms key.

The technique that was used to find this vulnerability is called Path Traversal Attack.

I found this vulnerability in the URL and the parameter shown in the screenshot above.

The response of the above URL HTTP request is as below-

By this I analysed that Micrsoft-IIS webserver is in use. So I tried to open WIN.INI file of windows by path traversal attack.

And I got the following response-

This is the content of WIN.INI file. So by this I was confirmed that Local File Inclusion vulnerability exist.

The “../” used in the example above represent a directory traversal. The number of “../” depend on the configuration and location of the target web server on the victim machine. Some experimentation may be required.

Now I tried escalating to this vulnerability.

And as expected I was able to get the complete source code for login.ashx page which is also a high vulnerability risk.

                             

Source code disclosure vulnerability allows an attacker to view / download the source code files of the web application from the webserver. These files can reveal sensitive information related to specific functionality of the website, how different web-pages react to various parameter values given to it etc. An attacker can use this information to carry out targeted attacks on the website which may lead to website compromise.

The files contain source-code files that are publicly accessible. An attacker may download these source-code files and carry out intellectual property theft.

In-addition, these files may contain sensitive details about the inner workings of the website and disclose additional vulnerabilities.

Response of above request-

Similarly , I was able to find the source code of complete application.

Now the critical aspect of this, below is the webconfig file –

Check the response-

As you can see , server credentials, mail server API key, sms service api key and payment gateway API key are accessbile.
By some more researching, I was able to use the keys to send mails, send sms etc.

Risk-

By source code disclosure vulnerability, I was able to get the complete source code of the application .
These files reveal sensitive information relates to the specific functionality of the application. For eg. I can get the logic behind the encryption used for login and hence can use it for user account hijack vulnerability.

The local file inclusion vulnerability gave me access to all the APIs key used in application. I was able to use mail server api key to send mails from the behalf of the company , and even sms. Payment gateway api can be used for completely bypassing the payment gateway and buying the product at much less price.


I reported this vulnerability to the concerned company on 19th June and it was soon patched after that.

Any feedback,suggestion would be highly appreciated :)

Thanks
~logicbomb

Customer Information Disclosure via IDOR

Hi Guys,
Recently while researching for bug bounty, I have found a very critical vulnerability of IDOR(explained in the last blog) in one of an Indian Shopping websites ( again can't disclose the name for some obvious reasons).

Some of the impact that I was manage to do by exploiting this vulnerability are-

1. Full Customer Information Disclosure including complete name, Mail Id, phone number , Address.
2. Delete address from any user account
3. Add address details to any user account.

I found this vulnerability in one Shopping website of India.I had the access to all their customer data before the concerned company has patched it after I reported it to them.

Now lets see the steps-

1-  Like every shopping websites has, there is a functionality to choose delivery address where customer want to ship his product. When I clicked on my address where I wanted to ship the product and captured the HTTP request,  I found that there is an address_id tagged with my address.

The response of the above request contains my delivery address- Full Name, Mobile Number, Mail id, and address.

2-  As can bee seen in the above screenshot, this is my details. Now I tried changing the address_id to some other value like "1985170".

and checked the response.

3-  As there was no access control check, I was able to see other user address details. Now bruteforcing this 7 digit number, I was able to dump details of all the customer of the company.

4-  Similarly, there is a functionality to delete the address. Clicking on remove address functionality and capturing the request.

5-  Now, bruteforcing the address_id parameter , I was able to delete address of any user from his account.
Used the address id that I have got above.

and as expected, I got 200OK .

Now lets check whether the address has been deleted from his account or not.By using the same method by which I extracted his information.

and again as expected the address associated with that particular id is deleted.

6-  Similarly, I could add address to any customer account.
Clicked on edit address, and then save. The captured raw request is below-

7-  Now bruteforcing the address id and the details , I was able to add my address to any user account by just giving address id.

So this is all about this hack- A vulnerability directly affecting company reputation and customer trust.

I reported this vulnerability on 23rd May and it got patched soon after 1 week.


Suggestions, feedback, queries all are welcome :)

-logicbomb

User Account Hijack via IDOR

Hi All,

One more day of hack!

While researching for vulnerabilities, I have found a very critical vulnerability of Insecure Direct Object Reference(IDOR) in one of the Hotel Booking websites by which I was able to hijack any user account. 

What is IDOR?

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying value of a parameter used to directly point to an object. This is caused by the fact that the application takes input from the user and without performing any authorization check allow the user the access to the object.

This is occupying the fourth spot in Open Web Application Security Project(OWASP) Top 10 list of the most critical web application security risks since 2007.

I found this vulnerability in one Hotel Booking company of India. I was able to completely compromise any user account provided the mail id of the user.

Below are the steps- 

1. I created my account , and went to my profile section where I found different functionalities like  "Wallet Money" , "My bookings" just like every travel booking websites have.

2. Captured the request by clicking on "Wallet Money" functionality and found that there was a parameter containing mail id  i.e emailId.

The response to the request is the credit balance that the user has in his wallet.

3- Seeing this, I changed the mail id to some other mail id (obviously to one who has account in this website) and found that I was able to check wallet money of the user associated to that mail id.

I changed the mail id to victim mail address and I got the below response-

         







4- And similarly "My booking" functionality was vulnerable to IDOR where I could see the bookings made by the user by modifying the mail id . Then I went further, and tried to hijack user account using "New Password" functionality .

From the above two scenario, I found that there was no mapping of user mail id with any authentication token and there was no authorized check where the user has access to particular object or not.

5- I checked the "My Profile" section where I could change the current password ,captured the raw request.
            

   










6- Now as you can seen in the request, there are some parameter like FirstName,LastName, Email, Password, NewEmail.

Now I changed the "Email" parameter to victim mail id i,e moneyjain030193@gmail.com and kept the password of my choice i.e. 123456 and as I was expecting, I got 200 ok. 

and with no surprise I was able to log in successfully with the Victim id and with the password that I have chosen for him. 


That's all about this IDOR vulnerability ,simple yet critical.

Suggestions and feedback are welcome :)