Account Takeover

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

Authorization Issue

๊ณ„์ •์˜ ์ด๋ฉ”์ผ์„ ๋ณ€๊ฒฝํ•˜๋ ค ์‹œ๋„ํ•˜๊ณ , ํ™•์ธ ํ”„๋กœ์„ธ์Šค๋ฅผ ๋ฐ˜๋“œ์‹œ ๊ฒ€์‚ฌํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค. ํ™•์ธ ์ ˆ์ฐจ๊ฐ€ ์ทจ์•ฝํ•œ ๊ฒฝ์šฐ, ์ด๋ฉ”์ผ์„ ๋Œ€์ƒ ํ”ผํ•ด์ž์˜ ๊ฒƒ์œผ๋กœ ๋ณ€๊ฒฝํ•œ ๋’ค ํ™•์ธ์„ ์™„๋ฃŒํ•˜์„ธ์š”.

Unicode Normalization Issue

  1. ๋Œ€์ƒ ํ”ผํ•ด์ž์˜ ๊ณ„์ • victim@gmail.com
  2. Unicode\๋ฅผ ์‚ฌ์šฉํ•ด ๊ณ„์ •์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค. ์˜ˆ: viฤ‡tim@gmail.com

As explained in this talk, the previous attack could also be done abusing third party identity providers:

  • Create an account in the third party identity with similar email to the victim using some unicode character (viฤ‡tim@company.com).
  • The third party provider shouldnโ€™t verify the email
  • If the identity provider verifies the email, maybe you can attack the domain part like: victim@ฤ‡ompany.com and register that domain and hope that the identity provider generates the ascii version of the domain while the victim platform normalize the domain name.
  • Login via this identity provider in the victim platform who should normalize the unicode character and allow you to access the victim account.

For further details, refer to the document on Unicode Normalization:

Unicode Normalization

Reusing Reset Token

๋Œ€์ƒ ์‹œ์Šคํ…œ์ด reset link๋ฅผ ์žฌ์‚ฌ์šฉ ํ—ˆ์šฉํ•˜๋ฉด, gau, wayback, scan.io ๊ฐ™์€ ๋„๊ตฌ๋ฅผ ์‚ฌ์šฉํ•ด ๋” ๋งŽ์€ reset ๋งํฌ๋ฅผ ์ฐพ์œผ๋ ค ๋…ธ๋ ฅํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

Pre Account Takeover

  1. ํ”ผํ•ด์ž์˜ ์ด๋ฉ”์ผ์„ ์‚ฌ์šฉํ•ด ํ”Œ๋žซํผ์— ๊ฐ€์ž…ํ•˜๊ณ  ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์„ค์ •ํ•ฉ๋‹ˆ๋‹ค(๊ฐ€๋Šฅํ•˜๋‹ค๋ฉด ํ™•์ธ ์‹œ๋„๋„ ํ•ด๋ณด๋˜, ํ”ผํ•ด์ž์˜ ์ด๋ฉ”์ผ ์ ‘๊ทผ ๊ถŒํ•œ์ด ์—†์œผ๋ฉด ๋ถˆ๊ฐ€๋Šฅํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค).
  2. ํ”ผํ•ด์ž๊ฐ€ OAuth๋กœ ๊ฐ€์ž…ํ•˜๊ณ  ๊ณ„์ •์„ ํ™•์ธํ•  ๋•Œ๊นŒ์ง€ ๊ธฐ๋‹ค๋ฆฝ๋‹ˆ๋‹ค.
  3. ์ผ๋ฐ˜ ๊ฐ€์ž…์ด ํ™•์ธ๋˜๋ฉด ํ”ผํ•ด์ž ๊ณ„์ •์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋˜๊ธฐ๋ฅผ ๊ธฐ๋Œ€ํ•ฉ๋‹ˆ๋‹ค.

CORS Misconfiguration to Account Takeover

ํŽ˜์ด์ง€์— CORS misconfigurations๊ฐ€ ์žˆ์œผ๋ฉด ์‚ฌ์šฉ์ž์˜ ๋ฏผ๊ฐํ•œ ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•˜์—ฌ ๊ณ„์ •์„ takeoverํ•˜๊ฑฐ๋‚˜ ๋™์ผํ•œ ๋ชฉ์ ์„ ์œ„ํ•ด ์ธ์ฆ ์ •๋ณด๋ฅผ ๋ณ€๊ฒฝํ•˜๊ฒŒ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

CORS - Misconfigurations & Bypass

Csrf to Account Takeover

ํŽ˜์ด์ง€๊ฐ€ CSRF์— ์ทจ์•ฝํ•˜๋ฉด ์‚ฌ์šฉ์ž๊ฐ€ ์ž์‹ ์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ, ์ด๋ฉ”์ผ ๋˜๋Š” ์ธ์ฆ ์ •๋ณด๋ฅผ ๋ณ€๊ฒฝํ•˜๊ฒŒ ๋งŒ๋“ค์–ด ์ดํ›„์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

CSRF (Cross Site Request Forgery)

XSS to Account Takeover

์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์—์„œ XSS๋ฅผ ๋ฐœ๊ฒฌํ•˜๋ฉด ์ฟ ํ‚ค, local storage, ๋˜๋Š” ์›น ํŽ˜์ด์ง€์˜ ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•˜์—ฌ ๊ณ„์ •์„ takeoverํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

XSS (Cross Site Scripting)

  • Attribute-only reflected payloads on login pages can hook document.onkeypress, exfiltrate keystrokes through new Image().src, and steal credentials without submitting the form. See Attribute-only login XSS behind WAFs for a practical workflow.

Same Origin + Cookies

์ œํ•œ์ ์ธ XSS๋‚˜ ์„œ๋ธŒ๋„๋ฉ”์ธ takeover๋ฅผ ๋ฐœ๊ฒฌํ•˜๋ฉด cookies๋ฅผ ์กฐ์ž‘(์˜ˆ: fixating)ํ•˜์—ฌ ํ”ผํ•ด์ž ๊ณ„์ •์„ ์นจํ•ดํ•˜๋ ค ์‹œ๋„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค:

Cookies Hacking

Attacking Password Reset Mechanism

Reset/Forgotten Password Bypass

Security-question resets that trust client-supplied usernames

If an โ€œupdate security questionsโ€ flow takes a username parameter even though the caller is already authenticated, you can overwrite any accountโ€™s recovery data (including admins) because the backend typically runs UPDATE ... WHERE user_name = ? with your untrusted value. The pattern is:

  1. Log in with a throwaway user and capture the session cookie.
  2. Submit the victim username plus new answers via the reset form.
  3. Immediately authenticate through the security-question login endpoint using the answers you just injected to inherit the victimโ€™s privileges.
POST /reset.php HTTP/1.1
Host: file.era.htb
Cookie: PHPSESSID=<low-priv>
Content-Type: application/x-www-form-urlencoded

username=admin_ef01cab31aa&new_answer1=A&new_answer2=B&new_answer3=C

Anything gated by the victimโ€™s $_SESSION context (admin dashboards, dangerous stream-wrapper features, etc.) is now exposed without touching the real answers.

Enumerated usernames can then be targeted via the overwrite technique above or reused against ancillary services (FTP/SSH password spraying).

Response Manipulation

์ธ์ฆ ์‘๋‹ต์„ ๋‹จ์ˆœํ•œ ๋ถˆ๋ฆฌ์–ธ์œผ๋กœ ์ถ•์†Œํ•  ์ˆ˜ ์žˆ๋‹ค๋ฉด, false๋ฅผ true๋กœ ๋ณ€๊ฒฝํ•ด๋ณด๊ณ  ์ ‘๊ทผ์ด ๋˜๋Š”์ง€ ํ™•์ธํ•˜๋ผ.

OAuth to Account takeover

OAuth to Account takeover

Host Header Injection

  1. password reset ์š”์ฒญ์„ ์‹œ์ž‘ํ•œ ํ›„ Host ํ—ค๋”๊ฐ€ ์ˆ˜์ •๋œ๋‹ค.
  2. X-Forwarded-For ํ”„๋ก์‹œ ํ—ค๋”๊ฐ€ attacker.com์œผ๋กœ ๋ณ€๊ฒฝ๋œ๋‹ค.
  3. Host, Referrer, Origin ํ—ค๋”๋ฅผ ๋™์‹œ์— attacker.com์œผ๋กœ ๋ณ€๊ฒฝํ•œ๋‹ค.
  4. password reset์„ ์‹œ์ž‘ํ•œ ๋‹ค์Œ ๋ฉ”์ผ ์žฌ์ „์†ก์„ ์„ ํƒํ•˜๋ฉด ์•ž์„œ ์–ธ๊ธ‰ํ•œ ์„ธ ๊ฐ€์ง€ ๋ฐฉ๋ฒ•์ด ๋ชจ๋‘ ์‚ฌ์šฉ๋œ๋‹ค.

Response Manipulation

  1. Code Manipulation: ์ƒํƒœ ์ฝ”๋“œ๋ฅผ 200 OK๋กœ ๋ณ€๊ฒฝํ•œ๋‹ค.
  2. Code and Body Manipulation:
  • ์ƒํƒœ ์ฝ”๋“œ๋ฅผ 200 OK๋กœ ๋ณ€๊ฒฝํ•œ๋‹ค.
  • ์‘๋‹ต ๋ณธ๋ฌธ์„ {"success":true} ๋˜๋Š” ๋นˆ ๊ฐ์ฒด {}๋กœ ์ˆ˜์ •ํ•œ๋‹ค.

์ด๋Ÿฌํ•œ manipulation ๊ธฐ๋ฒ•์€ JSON์ด ๋ฐ์ดํ„ฐ ์ „์†ก ๋ฐ ์ˆ˜์‹ ์— ์‚ฌ์šฉ๋˜๋Š” ๊ฒฝ์šฐ์— ํšจ๊ณผ์ ์ด๋‹ค.

Change email of current session

From this report:

  • ๊ณต๊ฒฉ์ž๊ฐ€ ์ž์‹ ์˜ ์ด๋ฉ”์ผ์„ ์ƒˆ ์ฃผ์†Œ๋กœ ๋ณ€๊ฒฝ ์š”์ฒญํ•œ๋‹ค
  • ๊ณต๊ฒฉ์ž๋Š” ์ด๋ฉ”์ผ ๋ณ€๊ฒฝ ํ™•์ธ ๋งํฌ๋ฅผ ๋ฐ›๋Š”๋‹ค
  • ๊ณต๊ฒฉ์ž๋Š” ๊ทธ ๋งํฌ๋ฅผ ํ”ผํ•ด์ž์—๊ฒŒ ๋ณด๋‚ด๊ณ  ํ”ผํ•ด์ž๊ฐ€ ํด๋ฆญํ•˜๊ฒŒ ํ•œ๋‹ค
  • ํ”ผํ•ด์ž์˜ ์ด๋ฉ”์ผ์ด ๊ณต๊ฒฉ์ž๊ฐ€ ์ง€์ •ํ•œ ์ฃผ์†Œ๋กœ ๋ณ€๊ฒฝ๋œ๋‹ค
  • ์ด ๊ณต๊ฒฉ์€ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋ณต๊ตฌํ•˜๊ฑฐ๋‚˜ ๊ณ„์ •์„ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•œ๋‹ค

This also happened in this report.

Bypass email verification for Account Takeover

  • ๊ณต๊ฒฉ์ž๊ฐ€ attacker@test.com์œผ๋กœ ๋กœ๊ทธ์ธํ•˜๊ณ  ๊ฐ€์ž… ์‹œ ์ด๋ฉ”์ผ์„ ๊ฒ€์ฆํ•œ๋‹ค.
  • ๊ณต๊ฒฉ์ž๊ฐ€ ๊ฒ€์ฆ๋œ ์ด๋ฉ”์ผ์„ victim@test.com์œผ๋กœ ๋ณ€๊ฒฝํ•œ๋‹ค(์ด๋ฉ”์ผ ๋ณ€๊ฒฝ์— ๋Œ€ํ•œ ์ถ”๊ฐ€ ๊ฒ€์ฆ ์—†์Œ)
  • ์ด์ œ ์‚ฌ์ดํŠธ๋Š” victim@test.com์œผ๋กœ ๋กœ๊ทธ์ธ์„ ํ—ˆ์šฉํ•˜๋ฉฐ ํ”ผํ•ด์ž์˜ ์ด๋ฉ”์ผ ๊ฒ€์ฆ์„ ์šฐํšŒํ•˜๊ฒŒ ๋œ๋‹ค.

Old Cookies

As explained in this post, ํ•œ ๊ณ„์ •์— ๋กœ๊ทธ์ธํ•ด ์ธ์ฆ๋œ ์‚ฌ์šฉ์ž๋กœ์„œ ์ฟ ํ‚ค๋ฅผ ์ €์žฅํ•˜๊ณ  ๋กœ๊ทธ์•„์›ƒํ•œ ๋‹ค์Œ ๋‹ค์‹œ ๋กœ๊ทธ์ธํ•  ์ˆ˜ ์žˆ์—ˆ๋‹ค.
์ƒˆ ๋กœ๊ทธ์ธ์—์„œ๋Š” ๋‹ค๋ฅธ ์ฟ ํ‚ค๊ฐ€ ์ƒ์„ฑ๋  ์ˆ˜ ์žˆ์Œ์—๋„ ๋ถˆ๊ตฌํ•˜๊ณ  ์ด์ „ ์ฟ ํ‚ค๊ฐ€ ๋‹ค์‹œ ์ž‘๋™ํ•˜๊ฒŒ ๋˜์—ˆ๋‹ค.

Trusted device cookies + batch API leakage

๋ณต๊ตฌ๋ฅผ ์™„ํ™”ํ•˜๋Š” ์žฅ๊ธฐ ์œ ์ง€ ์žฅ์น˜ ์‹๋ณ„์ž(long-lived device identifiers)๋Š” batch API๊ฐ€ ์ฝ์„ ์ˆ˜ ์—†๋Š” ํ•˜์œ„ ์‘๋‹ต์„ ์“ฐ๊ธฐ ๊ฐ€๋Šฅํ•œ ์‹ฑํฌ๋กœ ๋ณต์‚ฌํ•˜๊ฒŒ ํ—ˆ์šฉํ•  ๋•Œ ๋„๋‚œ๋  ์ˆ˜ ์žˆ๋‹ค.

  • ๋ณต๊ตฌ ์ฒดํฌ๋ฅผ ์™„ํ™”ํ•˜๋Š” ๋ฐ ์‚ฌ์šฉ๋˜๋Š” trusted-device cookie (SameSite=None, long-lived)๋ฅผ ์‹๋ณ„ํ•œ๋‹ค.
  • ํ•ด๋‹น ์žฅ์น˜ ID๋ฅผ JSON์œผ๋กœ ๋ฐ˜ํ™˜ํ•˜์ง€๋งŒ(์˜ˆ: OAuth code ๊ตํ™˜์ด machine_id๋ฅผ ๋ฐ˜ํ™˜) cross-origin์—์„œ ์ฝ์„ ์ˆ˜ ์—†๋Š” first-party endpoint๋ฅผ ์ฐพ๋Š”๋‹ค.
  • ์ด์ „ ํ•˜์œ„์‘๋‹ต์„ ์ฐธ์กฐ({result=name:$.path})ํ•˜๊ณ  ์ด๋ฅผ ๊ณต๊ฒฉ์ž์—๊ฒŒ ๋ณด์ด๋Š” ์‹ฑํฌ(ํŽ˜์ด์ง€ post, upload-by-URL ๋“ฑ)์— ์“ธ ์ˆ˜ ์žˆ๊ฒŒ ํ•˜๋Š” batch/chained API๋ฅผ ์ด์šฉํ•œ๋‹ค. Example with Facebook Graph API:
POST https://graph.facebook.com/
batch=[
{"method":"post","omit_response_on_success":0,"relative_url":"/oauth/access_token?client_id=APP_ID%26redirect_uri=REDIRECT_URI","body":"code=SINGLE_USE_CODE","name":"leaker"},
{"method":"post","relative_url":"PAGE_ID/posts","body":"message={result=leaker:$.machine_id}"}
]
access_token=PAGE_ACCESS_TOKEN&method=post
  • ์ˆจ๊ฒจ์ง„ <iframe>์— batch URL์„ ๋กœ๋“œํ•˜์—ฌ ํ”ผํ•ด์ž๊ฐ€ trusted-device cookie๋ฅผ ์ „์†กํ•˜๊ฒŒ ํ•จ; JSON-path ์ฐธ์กฐ๊ฐ€ ํŽ˜์ด์ง€์—์„œ OAuth ์‘๋‹ต์„ ์ฝ์„ ์ˆ˜ ์—†์Œ์—๋„ ๋ถˆ๊ตฌํ•˜๊ณ  machine_id๋ฅผ attacker-controlled post๋กœ ๋ณต์‚ฌํ•จ.
  • Replay: ๋„๋‚œ๋‹นํ•œ device cookie๋ฅผ ์ƒˆ ์„ธ์…˜์— ์„ค์ •. Recovery๋Š” ์ด์ œ ๋ธŒ๋ผ์šฐ์ €๋ฅผ trusted๋กœ ์ทจ๊ธ‰ํ•˜์—ฌ ์ข…์ข… ๋” ์•ฝํ•œ โ€œno email/phoneโ€ ํ”Œ๋กœ์šฐ(์˜ˆ: automated document upload)๋ฅผ ๋…ธ์ถœ์‹œํ‚ค๋ฉฐ password๋‚˜ 2FA ์—†์ด attacker email์„ ์ถ”๊ฐ€ํ•  ์ˆ˜ ์žˆ์Œ.

์ฐธ๊ณ ์ž๋ฃŒ

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ