Account Takeover - Smoking with ‘null’

Hello everyone I want to share one of my recent findings for which I was paid $50 because it was the highest amount they were offering. I found an interesting account takeover using JSON null value.

Summary :

Few days back I was hunting on a program where there was a normal option of signup but while logging into the application I was having two different options :

  1. Login with Password
  2. Login with Token

So I chose “Login with Token” and as a normal behaviour a token was sent to my email. At first I tried parameter pollution but it failed, so after reading some of the JSON data types I came to know about a null value in JSON data types.

What is null value in JSON data types ?

So I capture the login request where a token needs to be entered for a successful login and sent it to burp repeater. Then I simply changed the value of the token parameter to null and got a successful login.

I thought of taking over an account of so I went further and tried to signup using the support email at first but as usual the account was already created, so I went to login function > chose the option of token > captured the request using burp > sent it to repeater > entered the value null in token parameter and got a successful login.

How I found this vulnerability ?

  1. I went to a signup page and registered my self
Signup Page
Signup Request

2. Then I captured the request of the login page where you need a token and changed the value of token parameter to null eg. {“token”:null}

Login Request

Here you can see I got a successful login.

3. Now I checked for the email but it was already registered so I chose the “Login with Token” option and took over the company’s support account.

Account Takeover

→ Points to Remember

  1. You can try injection null value where a csrf token is passed to bypass it
  2. You can try injection null value where an OTP is required for login
  3. You can try injection null value where 2FA is required




|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Pajama Sam 3 Hack Free Resources Generator

Active Directory: What do CTF environments teach us about attacking Domain Controllers?

Bluzelle Roadmap Update — 2021 : A Road to the Future Decentralized Internet

Security Incidents in December

Tips and Tricks for a Healthy Mac

Will the Real Michelle James Please Stand Up?

{UPDATE} Zen Sand: Juegos de logica Hack Free Resources Generator

VU Cyberthon 2022 — What is my name? & handshaking challenge writeups.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

More from Medium

Parameter Pollution - Zero Day

WebAppSec: Parameter Tampering

Exposing Millions of Investor and Startup Register details and PII INFO in STARTUPINDIA (Govt of…

How i was able to bypass Cloudflare WAF for SQLi payload