Code flaws leads to Organization Account Takeover Code flaws leads to Organization Account Takeover



Code flaws leads to Organization Account Takeover


the Application Design

The Application was only allowing one Admin/Manager per one organization, but other viewers has to login in order to view the content.
Note: After creating an account user cannot change the organization_name.

Design Flaw/ Insecure Design

While creating an account I saw a very weird parameter in the POST request

POST /some_ajax/create_event_flow HTTP/1.1
Connection: close
Content-Length: 663
sec-ch-ua: "Google Chrome";v="105", "Not)A;Brand";v="8", "Chromium";v="105"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36
sec-ch-ua-platform: "Linux"
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Se;c-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
{"methodName":"onboard","params":{"some_params":{"some_name":"Account takeover","some_modules":[1]},"user_params":{"name":"User_name","email":"","password":"Password_Secret"},"community_params":{"name":"Organization_name","slug":"testthing-for-ato","c_id":683,"client_time_zone":"Asia/Calcutta"}}}

c_id noticed it? I hope so, let’s see what is happening in the backend, While trying to register, the application creates a entry with the email address and creates a row in the organization table (if it’s SQL) then our current request goes into the users table and makes a user with a predefined organization.

INSERT INTO users (username, password, organization) VALUES ("Jack","123", "organization_name") WHERE c_id='683';

So I changed the c_id with the victim’s c_id and as expected it took me to the victim’s organization. So we got our first bug ;) Design flaw but we can also call it Horizontal Privilege Escalation1.
Note : The Application doesn’t supports multiple Admin/Manager in one organization.

When I do testing, primarily what I want to achieve is an Account takeover and testing is like a video game for me completing every level one by one… so I started looking for more vulnerabilities, after 15 minutes of search I got it, found a Stored Cross Site Scripting2 on the Organization_name now the problem is how can I change the victim’s Organization_name.

I tried to replicate the create an account request and BOOM!! we can send a POST request to /some_ajax/create_event_flow no authentication required and also if we put cross site scripting payload in Organization_name and change our c_id with the victim’s c_id, the victim’s Organization_name gets changed ;)


We got the victim’s active cookies — but no-one will accept account takeover with active cookies, So I simply checked for Session Fixation or No Logout3 and I got lucky the application was vulnerable.

Last two vulnerability, the application was taking current password in order to change password but after intercepting the request I found that they’re not sending or checking the current password and there wasn’t any authentication on change email operation.

Quick wrap up

Create an account --> change the "c_id" and add the blind xss payload in the "organization_name"
copy the victim's cookies 
Login as the victim by using the cookies
change the password by using:
           i. Change Password
           ii. Change Email --> Recover password

I hope you’ve learned something new from this.