account takeover Archives

Hello Ethical Hackers! Today I share with you the best hacking books I enjoyed reading since the beginning of my career in Information Security! I will constantly update the list as I read more, but you already have enough hacking books to get you started in the information security industry. It also contains some advanced hacking books for those who want to level up their hacking skills.

This content uses referral links. You can choose to support me while I continue delivering more and more hacking content. With that said, let’s dive right into the first hacking book!

Web Hacking 101: How to make money hacking ethically

This is a hacking book for bug bounty hunters. Peter Yaworsky introduces bug bounty hunting to beginners and pragmatically explains the different vulnerabilities. For each vulnerability, he gives examples of reports from Hackerone’s Hacktivity, which is where HackerOne‘s bug bounty reports get published. I talked about in a previous episode. At the end of the book, he shares a bug bounty methodology using well-known tools.

It is the first hacking book I read when I started doing bug bounty hunting. You can get a free copy when you register an account on HackerOne. You can read it in one day! If you are a beginner in the bug bounty field, give it a try. You won’t be disappointed!

The Basics of Hacking and Penetration Testing

This is the first hacking book I have ever read about penetration testing, and boy was it helpful! If you have limited knowledge and want to kickstart your hacking skills, this is a must-read. I had practically zero knowledge of ethical hacking and penetration testing, but this hacking book opened my eyes wide open!

It teaches penetration testing as a methodical approach, explaining each step at a time. During each phase, you will learn the different concepts, tools and techniques that every penetration tester uses in real-life engagements.

Hacking: The Art of Exploitation, 2nd Edition

If you want to learn and practice low-level programming and exploitation of buffer overflow vulnerabilities, this book is for you! I remember tackling the Buffer overflow challenges on root-me, and this book gave me a strong boost! I was able to easily understand how they work, what protections usually mitigate them and how to bypass those mitigations as well!

In fact, it starts easy and covers programming in C and bash scripting. It explains various communication protocols and how to interact with them. But the meat of the book is Buffer Overflows. The author has great teaching skills that will make you understand the concepts behind buffer overflow before you know it! It illustrates them with simple examples that you can replicate using the Live CD that comes with the book.

Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker

When I barely started exploring the world of hacking, I came across Kevin Mitnick, dubbed as “The Most Wanted Hacker”! I wanted to know how he earned that fame, so I read this book, which is an autobiography. Throughout the thrilling chapters, Kevin Mitnick tries to rehabilitate his image by explaining the details of his hacking journey. They include why and how he hacked many companies, how he has been monitoring the FBI agents who followed him, how he hacked the prison’s phone system and how he has faked his identity many times.

It’s not a hacking book in the sense that it doesn’t teach technical concepts, but it is a great read full of thrilling moments if you want to explore the inner-working of a hacker mindset. Plus, the reader will learn why hacking outside the law can be troublesome!

The Web Application Hacker’s Handbook

The bible of web application hacking books

This hacking book is the bible of web application hacking. If you seriously want to learn how to hack web applications, this book is a must. I read it two times, and let me tell you that it’s so heavy! It presents different angles to attack every web application. Throughout the book, the authors illustrate some real-world examples, present different payloads and explain the hacking concepts in a very detailed way. From application mapping to Business Logic errors, you will learn it all! I suggest you take the time to read and grasp each chapter. Also, take notes while reading as it would help you remember where each topic is located when you want to revisit it. And trust me, you will have to revise it!

The Art of Intrusion

This is another hacking book of Kevin Mitnick where he narrates some mind-blowing hacking stories! If you want to explore how creative hackers can get and how far they can go, then this is a must-read! I read it two times because it is so entertaining, educating and thrilling at the same time.

Perhaps the most epic stories I enjoyed reading were the Casino Jackpot hack and the Stealing of a huge Software from outside. Both stories contain so many creative ways of breaking into a system, but I won’t spoil it for you! Give it a read and tell me which stories you have enjoyed the most.

How to Hack Like a PORNSTAR: A step by step process for breaking into a BANK

One of the best hacking books for Red Team operations

This hacking book covers many hacking tactics used by cybercriminals, but also by advanced ethical hackers during an engagement, especially red team ones, which have wider scope and allow more freedom for ethical hackers to simulate advanced attacks.

I liked the fact that it draws different scenarios for attacking a fictitious bank, which greatly increases its content value. In fact, it breaches the perimeter both using a phishing campaign and hacking the external servers. To add more value, it starts with the tactics you can perform to stay anonymous. When I read this hacking book, I immediately remembered the Software story from the Art of Intrusion book I mentioned earlier. Only this time, I’m witnessing the hack in a very technical perspective.

Throughout this awesome hacking book, you will get to learn the thinking process of a determined hacker as he or she slowly, but surely, infiltrates a fictitious bank IT infrastructure. You will also discover the different hacking tools that can be used for each phase of the engagement.

How to hack like a God

If you enjoyed reading the previous book, How to hack like a P***star, I bet you will have already read this one! If you didn’t, here is my experience with the book.

In fact, the narrator walks you through the journey of hacking a fictitious fashion company, from no access to full control.

This time, instead of breaching the DMZ remotely, the hacker implants a malicious raspberry pi into one of the stores. Once he connects to it from the front gun server, he uses multiple techniques to escalate his privileges and take control of the domain hosting the store. From there, he abuses domain trusts to expand his presence, eventually taking full control of the entire company and exfiltrating sensitive data from the mainframe.

Throughout the entire journey, you get to see exactly how the hack is planned and executed down to the technical details and the code snippets, without compromising the thrilling part of the story plot.

If you enjoy reading novels and you want to step up your hacking game, this is a must read!

How to Hack Like a Ghost: A detailed account of a breach to remember

A great hacking story that you must read

Continuing with this amazing saga, the author describes how to hack a target through a partner by compromising this one’s software. The scenario is similar to what happened in the SolarWind hack.

The hacker walks through all the stages of the kill-chain. During the process, he demonstrates how to bypass some advanced security protections such as Microsoft’s Advanced Threat Analytics, PowerShell script block logging and SIEM solutions.

It is very satisfying to see a full compromise of a target after a journey full of hurdles, frustration, determination and skills.

Account takeover: From zero to Full System Admin without interaction

Hello ethical hackers! Today I share with you an account takeover I achieved during a recent penetration testing of a web application. For those who don’t know know what an account takeover is, there is a dedicated section for that. From there, I will explain how I enumerated all the endpoints. Then, I will walk you through the steps I took to gain access to the highest privilege account. It is going to be a fun and rewarding episode, so stay with me until the end!

Account takeover definition

Account takeover happens when an attacker, with low or no privileges, can take control of another account without authorization. For example, you can find customer account takeover in e-commerce platforms or any other service which manages user accounts.

Is account takeover a vulnerability?

I see account takeover qualified as a vulnerability. However, I don’t think this should be the case. In fact, I tend to describe it as a result of one or more vulnerabilities. Just like a data breach can be the result of a SQL injection vulnerability.

Account takeover scenarios

Based on the distinction we have just set between vulnerability and its outcome, many vulnerabilities can lead to account takeover. For example, you might have an open redirect vulnerability which leaks the user token upon login. In this scenario, an attacker can take over the victim’s account by simply clicking on a malicious link. There are many reports demonstrating account takeover on HackerOne’s Hacktivity, so make sure to check them out.

In the remaining of this episode, the scenario involves unauthenticated endpoints which, once combined, result in a full account takeover without user interaction.

Account takeover and JavaScript enumeration

The developers wanted to know what a public user could achieve with no prior access. I didn’t have login credentials as it was a black-box penetration testing assignment. In such use cases, I dive right into JavaScript files, hoping to find API endpoints, hard-coded secrets, or even juicy comments. I like to use Chrome’s Dev Tool because it lists JavaScript files, beautifies them and looks for specific keywords across the entire code base. Besides, I can make breakpoints and track events to analyze how the application works from a Client-side perspective.

Since this application had a separate front-end, I collected all the API endpoints. It is a tedious task, but it’s rewarding in the long run. I found many endpoints, but the most interesting ones were the user sign up feature, password resetting based on the user identifier and account listing based on the user email. You will see why shortly!

Before account takeover

Before I found how to achieve account takeover, I first tested the endpoints I collected earlier. During application mapping, there was a registration form which returned an error. I thought maybe it’s broken and I moved on. However, I now understand what’s happening.

The debug interface

It turns out that the application sends a confirmation email to the user. However, the mail server was down. Besides, the sign up requires approval from an employee. How did I know that? Well, I found a debugging portal on another port on the server which disclosed all the operations, including the back-end responses. One of them contained a mail server connection error, and another one returned the ID of the newly created user, which means that it has been successfully created, but not yet active.

Bypassing the approval step

If you recall, I mentioned earlier that I found a password reset API endpoint that uses the account ID. Guess what, I have the new user ID. So I quickly send the request. To my surprise, the response is positive and I can now log in as the new user without approval from an internal employee! As a bonus, I have a limited admin role, which is not as powerful as the System Admin, but it’s a good start to hunt for the ultimate account takeover. Sadly, the user identifiers were long and random, also known as UUIDs. Therefore, I needed a way to enumerate them.

Information disclosure to the rescue

When I logged in with the new user, I captured the traffic while doing the usual application mapping, and one endpoint caught my attention. It queries the back-end for an email and retrieves data which includes the user ID, among other Personally Identifiable Information (PII). This endpoint matched the one I found during JavaScript enumeration. So now I need prior knowledge of the victim email to achieve account takeover, or do I?

Inspecting the debugging portal reveals exhaustive details about this specific feature, including the SQL query, which happened to be using the LIKE operator in the WHERE statement. The SQL query resembled something along the line of select email from user where email LIKE ?. Although there is no SQL injection, I can still use the percent character %, which returned the entire users from the database! A massive information disclosure!

System admin account takeover without interaction

We now have all the ingredients to get that System Admin account. Matter of fact, I didn’t know there is one until I dumped the entire database with that information disclosure vulnerability. I now have the System admin ID, which I use to reset the password, therefore achieving full account takeover of the System Admin user.

In terms of the impact, I essentially got full access to the application as the highest role possible, without any interaction from the victim.

Conclusion

Hopefully, you learned a trick or two on how to achieve account takeover during a web application penetration testing using a black-box approach.

Account takeover is one of the biggest security flaws. Depending on the level of access, attackers can compromise the entire web application or even the whole infrastructure. If you are a developer, I hope you learned why you must always implement authentication and access control on privileged endpoints. Besides, I recommend you request a penetration testing early in the development life cycle. That way, you will avoid any design flaws or business logic errors that will become expensive to patch later.

Learn more

If you are new to hacking and want to learn the basics, start with the Ultimate guide to OWASP Top 10 and apply your knowledge on the lab which supports it. If you enjoy learning with videos, I invite you to watch the OWASP Top 10 Youtube playlist.

Tag: account takeover

The best hacking books for ethical hackers