[mr23r0] Saransh Saraf
Code flaws leads to Organization Account Takeover
the Application Design
The Application was only allowing one Admin/Manager per one organization, but other viewers has to login in order to view the content.
Note: After creating an account user cannot change the organization_name
.
Design Flaw/ Insecure Design
While creating an account I saw a very weird parameter in the POST
request
POST /some_ajax/create_event_flow HTTP/1.1
Host: portal.example.com
Connection: close
Content-Length: 663
sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: https://portal.example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Se;c-Fetch-Dest: empty
Referer: https://portal.example.com/create_event_flow
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie:
{"methodName":"onboard","params":{"some_params":{"some_name":"Account takeover","some_modules":[1]},"user_params":{"name":"User_name","email":"admin@mr23r0.rocks","password":"Password_Secret"},"community_params":{"name":"Organization_name","slug":"testthing-for-ato","c_id":683,"client_time_zone":"Asia/Calcutta"}}}
c_id
noticed it? I hope so, let’s see what is happening in the backend, While trying to register, the application creates a entry with the email address and creates a row in the organization table (if it’s SQL) then our current request goes into the users table and makes a user with a predefined organization.
INSERT INTO users (username, password, organization) VALUES ("Jack","123", "organization_name") WHERE c_id='683';
So I changed the c_id
with the victim’s c_id
and as expected it took me to the victim’s organization. So we got our first bug ;) Design flaw but we can also call it Horizontal Privilege Escalation1.
Note : The Application doesn’t supports multiple Admin/Manager in one organization.
When I do testing, primarily what I want to achieve is an Account takeover and testing is like a video game for me completing every level one by one… so I started looking for more vulnerabilities, after 15 minutes of search I got it, found a Stored Cross Site Scripting2 on the Organization_name
now the problem is how can I change the victim’s Organization_name
.
I tried to replicate the create an account request and BOOM!! we can send a POST request to /some_ajax/create_event_flow
no authentication required and also if we put cross site scripting payload in Organization_name
and change our c_id
with the victim’s c_id
, the victim’s Organization_name
gets changed ;)
We got the victim’s active cookies — but no-one will accept account takeover with active cookies, So I simply checked for Session Fixation or No Logout3 and I got lucky the application was vulnerable.
Last two vulnerability, the application was taking current password in order to change password but after intercepting the request I found that they’re not sending or checking the current password and there wasn’t any authentication on change email operation.
Quick wrap up
Create an account --> change the "c_id" and add the blind xss payload in the "organization_name"
copy the victim's cookies
Login as the victim by using the cookies
change the password by using:
i. Change Password
ii. Change Email --> Recover password
I hope you’ve learned something new from this.
Thanks!