Code flaws leads to Organization Account Takeover
the Application Design
The Application was only allowing one Admin/Manager per one organization, but other viewers has to login in order to view the content.
Note: After creating an account user cannot change the organization_name
Design Flaw/ Insecure Design
While creating an account I saw a very weird parameter in the POST
POST /some_ajax/create_event_flow HTTP/1.1
{"methodName":"onboard","params":{"some_params":{"some_name":"Account takeover","some_modules":[1]},"user_params":{"name":"User_name","email":"admin@mr23r0.rocks","password":"Password_Secret"},"community_params":{"name":"Organization_name","slug":"testthing-for-ato","c_id":683,"client_time_zone":"Asia/Calcutta"}}}
noticed it? I hope so, let’s see what is happening in the backend, While trying to register, the application creates a entry with the email address and creates a row in the organization table (if it’s SQL) then our current request goes into the users table and makes a user with a predefined organization.
INSERT INTO users (username, password, organization) VALUES ("Jack","123", "organization_name") WHERE c_id='683';
So I changed the c_id
with the victim’s c_id
and as expected it took me to the victim’s organization. So we got our first bug ;) Design flaw but we can also call it Horizontal Privilege Escalation1.
Note : The Application doesn’t supports multiple Admin/Manager in one organization.
When I do testing, primarily what I want to achieve is an Account takeover and testing is like a video game for me completing every level one by one… so I started looking for more vulnerabilities, after 15 minutes of search I got it, found a Stored Cross Site Scripting2 on the Organization_name
now the problem is how can I change the victim’s Organization_name
I tried to replicate the create an account request and BOOM!! we can send a POST request to /some_ajax/create_event_flow
no authentication required and also if we put cross site scripting payload in Organization_name
and change our c_id
with the victim’s c_id
, the victim’s Organization_name
gets changed ;)
We got the victim’s active cookies — but no-one will accept account takeover with active cookies, So I simply checked for Session Fixation or No Logout3 and I got lucky the application was vulnerable.
Last two vulnerability, the application was taking current password in order to change password but after intercepting the request I found that they’re not sending or checking the current password and there wasn’t any authentication on change email operation.
Quick wrap up
Create an account --> change the "c_id" and add the blind xss payload in the "organization_name"
copy the victim's cookies
Login as the victim by using the cookies
change the password by using:
i. Change Password
ii. Change Email --> Recover password
I hope you’ve learned something new from this.