Full account takeover(AT0)-A tale of two bugs

2 min readFeb 10, 2022


I willl collect some ideas

Cre:Full Account takeover (ATO) — a tale of two bugs 🐛 | by Kwadwo Amoako | Feb, 2022 | Medium

  1. An account takeover (ATO) is when an attacker gains access to the data

2. An API base Insercure Direct Object Reference (IDOR) , which occurs when an application axposes a reference to an internal implementation object

  • In this attack, I intercepted and changed my ID in the body of the Post request (POST xyz..com/Account?handler=GetUserData) .After sending the request , I ogot the data of the victim as seen in firgure1

Next bug : Now Let’s take a look at the block code (figure 2) which I found on the “User Account” page and try to figure out the next line

In figure 2 , we see a copy of the current usr’s session on the browser . The seesions contains the user’s Id , rights, and permission . These values are subsequenly sent back to the API services for data, in the name of the current user.

Leveragin on the information provided in the first bug, as seen in Figure 1.

Sorry for my laziness. I have to find my motivation again :))