Dynamic verification code to bypass the official website of Razer

 

 

 

Hello everyone, I'm @dhakal_ananda, from Nepal, which is part of I participated in the Hackerone Razer vulnerability reward program. The beginning of this vulnerability reward program is a non-public project, I received the invitation and did not attend; later it became a public project, but it began to interest me. When digging holes, I prefer to bypass security features (such as secondary verification), rather than digging common XSS vulnerabilities and SQL, so I soon began to try to bypass the dynamic password, since it is sensitive to every time you execute It will appear during operation.   After conducting several tests, I found that the target application can use a long token to mark whether the dynamic password is entered. Only enter a valid dynamic password before providing token. So what can we do to bypass the restrictions also dynamic password or token of it? I quickly thought, whether the token between different users common? So I was simply trying to find really effective. Steps to reproduce Login attacker's account Go https://razerid.razer.com/account, modify the e-mail address You will see a pop-up dialog box that prompts to enter the dynamic password Enter a valid dynamic password, and then BurpSuite to intercept e-mail messages last change requests Sends a request to the Repeater in BurpSuite At this point login victims account (assuming you have the victim account password) Change the name to intercept related requests Copy the request user_id and user_token, save it to a file Go to intercept attacks BurpSuite change the email account of the request, the request user_id user_id and user_token replaced and user_token victims account (token user_token and dynamic password generated is not the same) Finally, after submitting a request to modify, view account that the victim's email address is the email address is controlled by the attacker. POST /api/emily/7/user-security/post HTTP/1.1 Host: razerid.razer.com Connection: close Content-Length: 260 Accept: application/json, text/plain, */* Origin: https://razerid.razer.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36 DNT: 1 Sec-Fetch-Mode: cors Content-Type: application/json;charset=UTF-8 Sec-Fetch-Site: same-origin Referer: https://razerid.razer.com/account/email Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: ... {"data":"user_iduser_tokenotp_token_value_hereattacker-email@example.comadd10060"} 需要说明的是，在和雷蛇官网交互的过程中，和身份验证有关的有三个字段，它分别为user_id、user_token和OTP_token。其中OTP_token只有在输入动态密码的情况下才能获得。而雷蛇网站缺乏对令牌OTP_token的身份控制，只是验证了其有效性，导致所有的帐户都能利用同一个帐户的OTP_token绕过动态密码验证。 我把报告写的很详细，提交给雷蛇，但雷蛇的审核人员居然认为这个漏洞需要物理接触受害者的机器才能进行？       在经过长时间的扯皮后，雷蛇表示，他们提供一个测试帐号，如果我能更改帐号绑定的电子邮件地址，就认同我的漏洞。 很快，我就把这个帐号和我的电子邮件地址绑定在一起。雷蛇最后也给了我1000美元的漏洞奖励。 在这次经历后，我又找到了另一个动态密码绕过漏洞，在雷蛇修复后将会对外公开。 本文由白帽汇整理并翻译，不代表白帽汇任何观点和立场 来源：https://nosec.org/home/detail/3056.html 原文：https://medium.com/@anandadhakal13/how-i-was-able-to-bypass-otp-token-requirement-in-razer-the-story-of-a-critical-bug-fc63a94ad572