IDOR Causing Account Takeover of Admin

This is an interesting IDOR vulnerability of account takeover and am sure many will like the trick which is mentioned in this write-up. The company has product software and SAAS, Both were affected with this vulnerability. You will wonder that all top company’s in the world uses this service .Though award was 20 Euro  coupon but I thinks trick of finding this IDOR was great. Let’s named the site as www.sample.com. Sample.com has 4 privileges in which highest is Administrator and lower is user.

Sample.com provides SAAS as well as product platform for using its services by allowing user to create subdomain. So vibhuti123.sample.com is organisation domain .Now Lets say vibhuti123.sample.com has 2 account admin with administrator privileges and hacker with user privileges.

Below POC will explain you in details about account takeover using IDOR.

POC:—

Application:–https://vibhuti123.sample.com

Imapct: Complete account takeover

POC:–

1)I have two accounts whose username and password are mentioned below

1st account:–

username:admin

password:abcdef

2nd account:–

Username:hacker

password:abcdef

2)I have taken intentionally same password as abcdef for both account which later I will change. Now admin is administrator for this site https://vibhuti123.sample.com

I have set the password complexity in medium level so I can use abcdef as my password without any complexity. I will go one by one by increasing the Level of password.Before Going forward I want to tell that it is not possible to execute bruteforce attack in Login page as after unsuccessful 5 attempts it will start for CAPTCHA verification.

3)Now login inside https://vibhuti123.sample.com with hacker username and go to below url

https://vibhuti123.sample.com/secure/ViewProfile.jsp

4) The above URL is profile page of User Hacker profile. Now in profile page there is tab to change present password .So click change password Link as attached in Diagram 1.

5)After clicking above link You will go to below page with below link and see the diagram 2

https://vibhuti123.sample.com/admin/users/changepassword?returnUrl=%2Fsecure%2FViewProfile.jspa

 

6) Now Put random password as current-password and random password for new-password. Make the BURP Proxy On and intercept the request in Burp proxy intercepted. see the diagram 3

7)As in the above diagram we can see that username hacker is mentioned. Now  change the username to admin whose password to change .new-password will be vibhuti and current password will be abcdef .Remember it that admin and hacker have both same Current password abcdef. The problem is here that current user session is hacker but still if we change username to admin and give current password of admin which is same for both, password gets change for admin through user hacker session. If we donot know admin’s current-password then we can easily bruteforce it and change admin password. Now I have bruteforce the current password with 10000 times but no rate limitation implemented and successfully changed the password of admin.Now time taken for changing admin password will be

Level of severity                                                               TIME TAKEN

FOR common dictionary password                                        .29miliseconds

For 6 digit password with three complexity  like Sk!ps1       6minutes

For 7 digit password with three complexity  Sk!ps1h         5Hours

For 8 digit password will three complexity like Sk!pf1sh      10 days

For 9 digit password with three complexity                            6years

For 10 digit password with three complexity                       160years

 

Here three Complexity means one digit Capital letter ,onedigit any number and one digit any symbol.

8)Only it seems to be impossible if admin will create nine digit or more with three complex password. Others are practically possible.

9) For proving it I did two testing

First) I changed the username in intercepted Request from Hacker to  admin, current password as abcdef and new password as vibhuti .As the current session is of user Hacker then also admin password got changed. This means clearly that  Current session is not validated with username provided in the Request.

2nd) Then I changed admin user password to admin .I did bruteforce last 4 digit and with 37412 request I am able to change the password of user admin. see the 200OK message came at around 37412 request in  the diagram 4