Account Takeover - Smoking with ‘null’

Hello everyone I want to share one of my recent findings for which I was paid $50 because it was the highest amount they were offering. I found an interesting account takeover using JSON null value.

Summary :

Few days back I was hunting on a program where there was a normal option of signup but while logging into the application I was having two different options :

  1. Login with Password
  2. Login with Token

So I chose “Login with Token” and as a normal behaviour a token was sent to my email. At first I tried parameter pollution but it failed, so after reading some of the JSON data types I came to know about a null value in JSON data types.

What is null value in JSON data types ?

https://www.ibm.com/support/knowledgecenter/SS8JB4_19.x/com.ibm.wbpm.wid.integ.doc/topics/rjsonnullunsempprops.html

So I capture the login request where a token needs to be entered for a successful login and sent it to burp repeater. Then I simply changed the value of the token parameter to null and got a successful login.

I thought of taking over an account of support@comany.com so I went further and tried to signup using the support email at first but as usual the account was already created, so I went to login function > chose the option of token > captured the request using burp > sent it to repeater > entered the value null in token parameter and got a successful login.

How I found this vulnerability ?

  1. I went to a signup page and registered my self
Signup Page
Signup Request

2. Then I captured the request of the login page where you need a token and changed the value of token parameter to null eg. {“token”:null}

Login Request

Here you can see I got a successful login.

3. Now I checked for the support@company.com email but it was already registered so I chose the “Login with Token” option and took over the company’s support account.

Account Takeover

→ Points to Remember

  1. You can try injection null value where a csrf token is passed to bypass it
  2. You can try injection null value where an OTP is required for login
  3. You can try injection null value where 2FA is required

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|