Tampering Encrypted Parameter to Account Takeover
Hola Infosec! Thanks for showing so much love to my previous story. Just like my last writeup, today also I am going to share an interesting finding of mine.
So, Most of us have found Simple Parameter Tampering or atleast know how to perform one, but today I am going to share my experience of the time when I was able to tamper a Parameter that was encrypted. RSA Encrypted to be precise.
Since this was a client from the place where I do my Day Job, I cannot reveal the name. So lets call it Target.com from here on.
Now this story is also for all those developers who think Client Side Protection is enough, and do not even consider implementing even a single check on the Server Side.
Now, on performing any action on target.com, the parameter values being transmitted were Encrypted. Captured using Burp, the parameter values looked something like this:
userName=8cfe39943d6e08e505531ddfd90c66f47c2f55ce140e5770fef58d3bec826f52490a089d1942aaed74a9f6ed0fd8890cef6c36e31220c9859a3ab423062wxbeea480d94850d95374ab3a7a47de3e9f89b3250a58397044817069c6a17109cc27408b0c53f94q34a5878270ff6random8c96b916bb9594af648e6dc6851685a9d41cdb868761c4d36d49389150840af05a277530dd191464befc79a46d418a4e4f12b2dec0c5cc01097efed4b2a6608c2c2f076a27fe0ce62a70a4fe2f02b558abae6f4a4757fb34a593ccd04f2356c2c521758b0e59c017087121d63c1b002fc794953e690290489f8af87d17359ba0fc59b832f972d80293fe8d2aafcb4faca
Now, in the application, there was Forgot Password functionality. The flow for this was:
- Go to target.com/signin and Enter email id for which password is to be changed
- An email containing 6 digit Authorization code will be sent to the email
- Go to target.com/forgotPasswd and Enter Email Id, Authorization Code and New password.
Now, I requested an Authorization Code for “attacker@email.com”, received code on email, went to /forgotPasswd and entered the email (attacker@email.com), Auth Code and New Password and Intercepted the request. It looked something like below.
As we can clearly see, we have 4 parameters — Email, Username, Encrypted Password and Code. But all were Encrypted. Now I tried replacing Encrypted values with Plain text values, i.e used “attacker@email.com” and “victim@email.com” instead of encrypted values, but the requests were rejected.
Then, I opened the same page target.com/forgotpasswd in different browser and this time entered “victim@email.com” instead of Attacker email, intercepted it, copied the encrypted value. Now I went to my previous browser request and tried to use above copied value instead of email and username, but it didn’t work.
So summing up, original request was :
email=encryptedattackeremail&userName=encryptedattackerusername&passwd=encryptedattackerpasswd&code=encryptedcode
I tried modifying it to encryptedvictimemail and encryptedvictimusername, but sadly it didn’t work.
Now, I did not give up, I researched a bit on Google and got to know that it is RSA encryption based on its length. I viewed the source code, opened the JS files and searched “rsa” and got some results. This confirmed that encryption was RSA.
A while later, I realised that since the param values are already encrypted when intercepted by Burp, this means it is Client Side Encryption. So I tried to turn off Javascript in the Browser to see if the values are encrypted or not, but now the application stopped working :(
I soon realised, that since this is client side, the RSA function will be defined somewhere in the JS code itself, so it can be simply called from the Browser.
I right clicked to Inspect Element, went to Console Tab and typed “rsa” and to my surprise, I found a function named “rsaEncrypt”.
This function could simply be called by providing it a parameter and it will return the encrypted value. So I defined a string “s” with the value “victim@email.com” and supplied this as a parameter to the rsaEncrypt function.
Luckily, it gave me the encrypted value.
PS: I did all this on the /forgotpasswd page itself as If I refreshed the page, the encrypted values changed everytime(session parameter might be linked with it)
On the same /forgotpasswd page, I entered “attacker@email.com”, Authorization Code and New Password and Submitted the form to intercept it in Burp.
In the Burp request, I did not modify anything else except the “username” param. I changed it to “rsaencryptedvictimemail” value that I got from the rsaEncrypt function.
So, it looked like this:
email=encryptedattackeremail&username=rsaencryptedvictimemail&passwd=encryptedattackerpasswd&code=encryptedcode
And Boom! the password of victim@email.com was changed. So it was an Account Takeover this way.
Thanks for taking out time to read this! Do Clap if you liked it :D
See you next time!
Till then do connect with me on Twitter, LinkedIn and Website
