Full account takeover(AT0)-A tale of two bugs
I willl collect some ideas
- An account takeover (ATO) is when an attacker gains access to the data
2. An API base Insercure Direct Object Reference (IDOR) , which occurs when an application axposes a reference to an internal implementation object
- In this attack, I intercepted and changed my ID in the body of the Post request (POST xyz..com/Account?handler=GetUserData) .After sending the request , I ogot the data of the victim as seen in firgure1
Next bug : Now Let’s take a look at the block code (figure 2) which I found on the “User Account” page and try to figure out the next line
In figure 2 , we see a copy of the current usr’s session on the browser . The seesions contains the user’s Id , rights, and permission . These values are subsequenly sent back to the API services for data, in the name of the current user.
Leveragin on the information provided in the first bug, as seen in Figure 1.
Sorry for my laziness. I have to find my motivation again :))