Complete account takeover in one of the largest e-commerce companies
Hi all,
Today I want to share my experience of discovering an account takeover (ATO) vulnerability using password reset link poisoning. While participating in a program that reaches millions of users – a large e-commerce company that I will call redacted.com – I was testing authentication features and came across the “Password Reset Request” feature. This feature prompts users to enter their email address to receive a password reset link.
When I started researching this program, I was at the airport waiting for a flight. Having some free time, I decided to delve into the security issues of the program. If only I had known that this informal testing session would lead to an important discovery! :))
Let's start our story, SQL injection
Since there is an email parameter, this indicates that there is a server-side database to process this data, making the email parameter the best place to test for SQL injection vulnerabilities.
Command to perform testing using SQLMap:
sqlmap -r testsql --dbs --tamper=space2comment,space2morehash --batch
Brute force parameters:
During testing, an interesting detail caught my attention: all parameters in the request body began with the dwfrm_requestpassword prefix. This unique prefix made me curious, and I thought, “What if I tried to iterate through these parameters in one query?” This prompted me to experiment to see if manipulating parameters could lead to unexpected behavior or reveal potential vulnerabilities.
First I downloaded the list of parameters from Arjun database from the following link: https://raw.githubusercontent.com/s0md3v/Arjun/refs/heads/master/arjun/db/large.txt. I then opened this list in Sublime Text to start customizing it to suit my testing approach.
After opening the list of options in Sublime Text, I used a replacement regular expression to add the dwfrm_requestpassword_ prefix to the beginning of each line. To do this, I used the ^ character to indicate the beginning of the line and added this prefix. I also added =evil at the end of each parameter, using the $ symbol to indicate the end of the line, as shown in the screenshot. This setup allows me to test different combinations of parameters with a common prefix and suffix, which can potentially reveal interesting behavioral features of the system.
I copied all the changed parameters from Sublime Text and pasted them line by line into the Repeater tool in Burp Suite. I then clicked “Change Body Encoding” to ensure that the parameters were formatted correctly for the request. This setup allowed me to systematically test each setting in Burp, making it easier to analyze responses and check for unusual behavior or vulnerabilities.
After sending the modified requests to Burp and analyzing the responses, I received an email with a link to reset my password. To my surprise, the link contained my custom path /evil. I then filtered and tested various parameters and ultimately found that the vulnerable parameter was dwfrm_requestpassword_return. This option allowed me to inject custom values into the reset link, revealing a potential open redirect or injection vulnerability.
I changed the value of the vulnerable parameter dwfrm_requestpassword_return to my Burp Collaborator link and sent the modified reset link to the victim. As you can see, when the victim clicks on this “magic link”, instead of simply logging in, they are redirected to my Collaborator server. This setup allows me to capture the victim's credentials or session information, demonstrating a potential open redirect or credential theft vulnerability.
