Account Takeover - Smoking with ‘null’

Hello everyone I want to share one of my recent findings for which I was paid $50 because it was the highest amount they were offering. I found an interesting account takeover using JSON null value.

Summary :

Few days back I was hunting on a program where there was a normal option of signup but while logging into the application I was having two different options :

  1. Login with Password

So I chose “Login with Token” and as a normal behaviour a token was sent to my email. At first I tried parameter pollution but it failed, so after reading some of the JSON data types I came to know about a null value in JSON data types.

What is null value in JSON data types ?

So I capture the login request where a token needs to be entered for a successful login and sent it to burp repeater. Then I simply changed the value of the token parameter to null and got a successful login.

I thought of taking over an account of so I went further and tried to signup using the support email at first but as usual the account was already created, so I went to login function > chose the option of token > captured the request using burp > sent it to repeater > entered the value null in token parameter and got a successful login.

How I found this vulnerability ?

  1. I went to a signup page and registered my self
Signup Page
Signup Request

2. Then I captured the request of the login page where you need a token and changed the value of token parameter to null eg. {“token”:null}

Login Request

Here you can see I got a successful login.

3. Now I checked for the email but it was already registered so I chose the “Login with Token” option and took over the company’s support account.

Account Takeover

→ Points to Remember

  1. You can try injection null value where a csrf token is passed to bypass it



|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|