0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3641] No subject

This commit is contained in:
CPol 2022-11-03 10:18:27 +00:00 committed by gitbook-bot
parent 0fd67548bc
commit e16b521593
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
3 changed files with 135 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
SUMMARY.md
View File

@ -454,6 +454,7 @@
* [Reflecting Techniques - PoCs and Polygloths CheatSheet](pentesting-web/pocs-and-polygloths-cheatsheet/README.md)
* [Web Vulns List](pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md)
* [2FA/OTP Bypass](pentesting-web/2fa-bypass.md)
* [Account Takeover](pentesting-web/account-takeover.md)
* [Bypass Payment Process](pentesting-web/bypass-payment-process.md)
* [Captcha Bypass](pentesting-web/captcha-bypass.md)
* [Cache Poisoning and Cache Deception](pentesting-web/cache-deception.md)

101
pentesting-web/account-takeover.md Normal file
View File

@ -0,0 +1,101 @@
# Account Takeover
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
## **Authorization Issue**
Try to change the email of an account and **check how the confirmation works**. If **weak**, try to change the email to the victim one and confirm it.
## **Unicode Normalization Issue**
1. victim account `victim@gmail.com`
2. create an account using Unicode\
example: `vićtim@gmail.com`
{% content-ref url="unicode-injection/unicode-normalization.md" %}
[unicode-normalization.md](unicode-injection/unicode-normalization.md)
{% endcontent-ref %}
## **Reusing Reset Token**
If target allows you to **reuse the reset link** then **hunt** for more reset link via `gau` ,`wayback` or `scan.io`
## **Pre Account Takeover**
1. Signup using the victims email in the platform and set a password (try to confirm if possible, but lacking access to the victim emails might be impossible)
2. Wait till the victim signs up using oauth and confirms the account
3. Hopefully, the regular signup will be confirmed and you will be able to enter in the victims account
## **CORS Misconfiguration to Account Takeover**
If the page contains **CORS missconfigurations** you might be able to **steal sensitive information** from the user to **takeover his account** or make him change auth information for the same purpose:
{% content-ref url="cors-bypass.md" %}
[cors-bypass.md](cors-bypass.md)
{% endcontent-ref %}
## **Csrf to Account Takeover**
If the page is vulnerable to CSRF you might be able to make the **user modify his password**, email or authentication so you can then access it:
{% content-ref url="csrf-cross-site-request-forgery.md" %}
[csrf-cross-site-request-forgery.md](csrf-cross-site-request-forgery.md)
{% endcontent-ref %}
## **XSS to Account Takeover**
If you find a XSS in application you might be able to stal cookies, local storage, or info from the web page that could allow you takeover the account:
{% content-ref url="xss-cross-site-scripting/" %}
[xss-cross-site-scripting](xss-cross-site-scripting/)
{% endcontent-ref %}
## **Same Origin + Cookies**
If you find a limited XSS or a subdomain take over, you could play with the cookies (fixating them for example) to try to compromise the victim account:
{% content-ref url="hacking-with-cookies/" %}
[hacking-with-cookies](hacking-with-cookies/)
{% endcontent-ref %}
## **Attacking Password Reset Mechanism**
{% content-ref url="reset-password.md" %}
[reset-password.md](reset-password.md)
{% endcontent-ref %}
## **Response Manipulation**
If the authentication response could be **reduced to a simple boolean just try to change false to true** and see if you get any access.
## OAuth to Account takeover
{% content-ref url="oauth-to-account-takeover.md" %}
[oauth-to-account-takeover.md](oauth-to-account-takeover.md)
{% endcontent-ref %}
## References
* [https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

81
pentesting-web/oauth-to-account-takeover.md
View File

@ -1,23 +1,18 @@
# OAuth to Account takeover
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>
# Basic Information <a href="#d4a8" id="d4a8"></a>
## Basic Information <a href="#d4a8" id="d4a8"></a>
There are a couple different versions of OAuth, you can read [https://oauth.net/2/](https://oauth.net/2/) to get a baseline understanding.
@ -42,7 +37,7 @@ Elements which are important to understand in an OAuth 2.0 context:
* **access\_token**: The `access_token` is the **token that the client application uses to make API requests** on behalf of a `resource owner`
* **refresh\_token**: The `refresh_token` allows an application to **obtain a new `access_token` without prompting the user**
## Real Example
### Real Example
Putting this all together, here is what a **real OAuth flow looks like**:
@ -78,15 +73,15 @@ Host: twitter.com
6\. Finally, the flow is complete and [https://yourtweetreader.com](https://yourtweetreader.com) will make an API call to Twitter with your `access_token` to access your Tweets.
# Bug Bounty Findings <a href="#323a" id="323a"></a>
## Bug Bounty Findings <a href="#323a" id="323a"></a>
Now, the interesting part! There are many things that can go wrong in an OAuth implementation, here are the different categories of bugs I frequently see:
## Weak redirect\_uri configuration <a href="#cc36" id="cc36"></a>
### Weak redirect\_uri configuration <a href="#cc36" id="cc36"></a>
. The `redirect_uri` is very important because **sensitive data, such as the `code` is appended to this URL** after authorization. If the `redirect_uri` can be redirected to an **attacker controlled server**, this means the attacker can potentially **takeover a victims account** by using the `code` themselves, and gaining access to the victims data.
The `redirect_uri` is very important because **sensitive data, such as the `code` is appended to this URL** after authorization. If the `redirect_uri` can be redirected to an **attacker controlled server**, this means the attacker can potentially **takeover a victims account** by using the `code` themselves, and gaining access to the victims data.
The way this is going to be exploited is going to vary by authorization server. **Some** will **only accept** the exact same ** `redirect_uri` path as specified in the client application**, but some will **accept anything** in the same domain or subdirectory of the `redirect_uri` .
The way this is going to be exploited is going to vary by authorization server. **Some** will **only accept** the exact same **`redirect_uri` path as specified in the client application**, but some will **accept anything** in the same domain or subdirectory of the `redirect_uri` .
Depending on the logic handled by the server, there are a number of techniques to bypass a `redirect_uri` . In a situation where a `redirect_uri` is [https://yourtweetreader.com](https://yourtweetreader.com)/callback, these include:
@ -106,7 +101,7 @@ All these parameters are **optional according to the OAuth and OpenID** specific
If you target an OpenID server, the discovery endpoint at **`.well-known/openid-configuration`**sometimes contains parameters such as "_registration\_endpoint_", "_request\_uri\_parameter\_supported_", and "_require\_request\_uri\_registration_". These can help you to find the registration endpoint and other server configuration values.
## XSS in redirect implementation <a href="#bda5" id="bda5"></a>
### XSS in redirect implementation <a href="#bda5" id="bda5"></a>
As mentioned in this bug bounty report [https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html](https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html) it might be possible that the redirect **URL is being reflected in the response** of the server after the user authenticates, being **vulnerable to XSS**. Possible payload to test:
@ -114,7 +109,7 @@ As mentioned in this bug bounty report [https://blog.dixitaditya.com/2021/11/19/
https://app.victim.com/login?redirectUrl=https://app.victim.com/dashboard</script><h1>test</h1>
```
## CSRF - Improper handling of state parameter <a href="#bda5" id="bda5"></a>
### CSRF - Improper handling of state parameter <a href="#bda5" id="bda5"></a>
Very often, the **`state` parameter is completely omitted or used in the wrong way**. If a state parameter is **nonexistent**, **or a static value** that never changes, the OAuth flow will very likely be **vulnerable to CSRF**. Sometimes, even if there is a `state` parameter, the **application might not do any validation of the parameter** and an attack will work. The way to exploit this would be to go through the authorization process on your own account, and pause right after authorising. You will then come across a request such as:
@ -134,14 +129,14 @@ One important thing to note is this doesnt just apply to logging in and accou
* Stripe integrations allowing an attacker to overwrite payment info and accept payments from the victims customers
* PayPal integrations allowing an attacker to add their PayPal account to the victims account, which would deposit money to the attackers PayPal
## Pre Account Takeover <a href="#ebe4" id="ebe4"></a>
### Pre Account Takeover <a href="#ebe4" id="ebe4"></a>
One of the other more common issues I see is when applications allow “Sign in with X” but also username/password. There are 2 different ways to attack this:
1. If the application does **not require email verification on account creation**, try **creating an account with a victims email address and attacker password** before the victim has registered. If the **victim** then tries to register or sign in **with a third party**, such as Google, its possible the application will do a lookup, see that email is already registered, then l**ink their Google account to the attacker created account**. This is a “**pre account takeover**” where an attacker will have access to the victims account if they created it prior to the victim registering.
2. If an **OAuth app does not require email verification**, try signing up with that OAuth app with a **victims email address**. The same issue as above could exist, but youd be attacking it from the other direction and getting access to the victims account for an account takeover.
## Disclosure of Secrets <a href="#e177" id="e177"></a>
### Disclosure of Secrets <a href="#e177" id="e177"></a>
Its very important to recognize **which of the many OAuth parameters are secret**, and to protect those. For example, leaking the `client_id` is perfectly fine and necessary, but leaking the **`client_secret` is dangerous**. If this is leaked, the **attacker** can potentially **abuse the trust and identity of the trusted client application to steal user `access_tokens` and private information/access for their integrated accounts**. Going back to our earlier example, one issue Ive seen is performing this step from the client, instead of the server:
@ -149,7 +144,7 @@ _5._ [_https://yourtweetreader.com_](https://yourtweetreader.com) _will then tak
**If this is done from the client, the `client_secret` will be leaked and users will be able to generate `access_tokens` on behalf of the application**. With some social engineering, they can also **add more scopes to the OAuth authorization** and it will all appear legitimate as the request will come from the trusted client application.
## Client Secret Bruteforce
### Client Secret Bruteforce
You can try to **bruteforce the client\_secret** of a service provider with the identity provider in order to be try to steal accounts.\
The request to BF may look similar to:
@ -164,23 +159,23 @@ Connection: close
code=77515&redirect_uri=http%3A%2F%2F10.10.10.10%3A3000%2Fcallback&grant_type=authorization_code&client_id=public_client_id&client_secret=[bruteforce]
```
## Referer Header leaking Code + State
### Referer Header leaking Code + State
Once the client has the **code and state**, if it's **reflected inside the Referer header** when he browses to a different page, then it's vulnerable.
## Access Token Stored in Browser History
### Access Token Stored in Browser History
Go to the **browser history and check if the access token is saved in there**.
## Everlasting Authorization Code
### Everlasting Authorization Code
The **authorization code should live just for some time to limit the time window where an attacker can steal and use it**.
The **authorization code should live just for some time to limit the time window where an attacker can steal and use it**.
## Authorization/Refresh Token not bound to client
### Authorization/Refresh Token not bound to client
If you can get the **authorization code and use it with a different client then you can takeover other accounts**.
## AWS Cognito <a href="#bda5" id="bda5"></a>
### AWS Cognito <a href="#bda5" id="bda5"></a>
In this bug bounty report: [**https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/**](https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/) you can see that the **token** that **AWS Cognito** gives back to the user might have **enough permissions to overwrite the user data**. Therefore, if you can **change the user email for a different user email**, you might be able to **take over** others accounts.
@ -201,7 +196,7 @@ aws cognito-idp update-user-attributes --region us-east-1 --access-token eyJraWQ
}
```
## SSRFs parameters <a href="#bda5" id="bda5"></a>
### SSRFs parameters <a href="#bda5" id="bda5"></a>
One of the hidden URLs that you may miss is the **Dynamic Client Registration endpoint**. In order to successfully authenticate users, OAuth servers need to know details about the client application, such as the "client\_name", "client\_secret", "redirect\_uris", and so on. These details can be provided via local configuration, but OAuth authorization servers may also have a **special registration endpoint**. This endpoint is normally mapped to "/register" and accepts POST requests with the following format:
@ -225,8 +220,6 @@ Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJ ...
}
```
There are two specifications that define parameters in this request: [RFC7591](https://tools.ietf.org/html/rfc7591) for OAuth and [Openid Connect Registration 1.0](https://openid.net/specs/openid-connect-registration-1\_0.html#rfc.section.3.1).
As you can see here, a number of these values are passed in via URL references and look like potential targets for [Server Side Request Forgery](https://portswigger.net/web-security/ssrf). At the same time, most servers we've tested do not resolve these URLs immediately when they receive a registration request. Instead, they just **save these parameters and use them later during the OAuth authorization flow**. In other words, this is more like a second-order SSRF, which makes black-box detection harder.
@ -238,15 +231,14 @@ The following parameters are particularly interesting for SSRF attacks:
`POST /oauth/token HTTP/1.1`\
`...`\
``\
\`\`\
`grant_type=authorization_code&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=eyJhbGci...`
If vulnerable, the **server should perform a server-to-server HTTP request to the supplied "jwks\_uri"** because it needs this key to check the validity of the "client\_assertion" parameter in your request. This will probably only be a **blind SSRF vulnerability though**, as the server expects a proper JSON response.
* **sector\_identifier\_uri** - This URL references a file with a single **JSON array of redirect\_uri values**. If supported, the server may **fetch this value as soon as you submit the dynamic registration request**. If this is not fetched immediately, try to perform authorization for this client on the server. As it needs to know the redirect\_uris in order to complete the authorization flow, this will force the server to make a request to your malicious sector\_identifier\_uri.
* **request\_uris** - An array of the **allowed request\_uris for this client**. The "request\_uri" parameter may be supported on the authorization endpoint to provide a URL that contains a JWT with the request information (see [https://openid.net/specs/openid-connect-core-1\_0.html#rfc.section.6.2](https://openid.net/specs/openid-connect-core-1\_0.html#rfc.section.6.2)).
Even if dynamic client registration is not enabled, or it requires authentication, we can try to perform SSRF on the authorization endpoint simply by using "request\_uri":\
Even if dynamic client registration is not enabled, or it requires authentication, we can try to perform SSRF on the authorization endpoint simply by using "request\_uri":\\
`GET /authorize?response_type=code%20id_token&client_id=sclient1&request_uri=https://ybd1rc7ylpbqzygoahtjh6v0frlh96.burpcollaborator.net/request.jwt`
@ -254,30 +246,23 @@ The following parameters are particularly interesting for SSRF attacks:
At the same time, many servers we've seen do not allow arbitrary "request\_uri" values: they only allow whitelisted URLs that were pre-registered during the client registration process. That's why we need to supply "request\_uris": "https://ybd1rc7ylpbqzygoahtjh6v0frlh96.burpcollaborator.net/request.jwt" beforehand.
# OAuth providers Race Conditions
## OAuth providers Race Conditions
If the platform you are testing is an OAuth provider [**read this to test for possible Race Conditions**](race-condition.md).
# References
## References
* [**https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1**](https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1)
* [**https://portswigger.net/research/hidden-oauth-attack-vectors**](https://portswigger.net/research/hidden-oauth-attack-vectors)
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
- **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>