An Account Takeover Vulnerability Due to Response Manipulation.

- No doesn’t necessarily mean no.! Responses can always be manipulated

Hey Everyone,
I hope everyone is healthy and staying safe amidst this COVID-19 pandemic.
On the brighter side, the pandemic gave me enough time at my disposal that I spent mostly on up skilling myself and of course finding bugs! and it was a pretty exciting for me as I discovered multiple Account Takeover vulnerabilities on a single private program and was able to closely work with the program to get things fixed and back in place.

In this write up I’ll be talking about one of the account takeover vulnerabilities which I came across during that time.

Before we start I would like you to go through my previous write up which was also an account takeover vulnerability discovered on the same program:

A Brief about the login feature implemented in the application.
To authenticate a user, the application back-end sends a 4 digit code to the registered email id, and only after entering that code the application verifies the legitimacy of the user and ensures that only an authorized user with a valid code can get access to the user’s account. Looks pretty decent right.

Attack Scenario
So when we navigate to​ ​​ a login form appears where on entering a valid email as mentioned above a 4 digit authentication code is sent to that email address.

So the first thing that came to my mind was to enter the victim’s email and start brute-forcing the code, but the application had a strict rate-limiting mechanism in place and it returned ​ HTTP ​ 429 Too Many Requests ​ HTTP response code after 10 wrong attempts, and even after trying multiple settings introducing time delays etc. also the authentication code was not leaked in the response so I was devoid of any success. :(

But failure is not an option.!

The next thing that came to my mind was let’s first have a look at the positive login flow of the application, So I entered an email-id of one of my test accounts and intercepted the positive login flow by proxying it through Burpsuite after clicking on login.

As expected an authentication code was sent to the mentioned email
On entering the right authentication code I was able to log in to that account as expected so I captured that request and dropped it off in the ​ Repeater tab ​ for further investigation. So now looking at what happens after entering the wrong authentication code, the application returns a 401 Unauthorized error code as expected.

After many attempts to bypass the login feature, one thing that grabbed my attention was the error response in the response body stating {“code”:”invalid_credentials”} What if I manipulate the response itself and replace it with the one I captured previously in a successful attempt, So I tried manipulating the response by entering any random 4 digit code and capturing the response for that login attempt on Burpsuite.

Making some changes to the Response code HTTP/1.1 200 OK and the response body {“verify”:”true”} to resemble a successful attempt.

And guess what? Yeah, you guessed it right.! It worked
Changing the HTTP code from​ ​ HTTP/1.1 401 Unauthorized​ ​ To HTTP/1.1 200 OK and the response value from {“code”:”invalid_credentials”}​ ​ to {“verify”:”true”}

Bypasses the authentication feature implemented as the application and gets us to log in to any User/Admin’s account on that application. This was happening because there was a client-side JavaScript that triggered a subsequent request based on the response received which would set new session cookies as an authenticated user.

I Reported this immediately, and as the team was aware of my previous Account Takeover vulnerabilities this was ​ Triaged and Fixed within 4 hours.

The Fix implemented was:
The entire login flow was revamped and the client-side JavaScript validation was removed and the application was not accepting any user value to the response and manipulating the response gave us an error message.

It was really fun hunting on this program and I’ll be publishing more write-ups in the upcoming days so stay tuned.!

Hope you guys enjoyed it! Do share it across :)
For any queries buzz me up on Twitter:​ ​
Until next time,

Cheers & Stay safe !! :)

Cobalt Core Pen-tester @Cobalt_io | Synack Red Team member @Synack | Bug Bounty @Bugcrowd | Acknowledged by Google, Microsoft, Apple, and 30+

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store