🔐 Account Takeover Lab

Authentication & Session Management Logic Flaws

Home > Account Takeover
⚠️ FOR EDUCATIONAL PURPOSES ONLY - DO NOT USE ON REAL SYSTEMS

📚 What is Account Takeover?

Account Takeover (ATO) occurs when an attacker gains unauthorized access to a user's account. This can happen through various logic flaws in authentication, password reset, session management, and authorization mechanisms.

Unlike technical vulnerabilities like XSS or SQLi, these are often business logic flaws - the code works as programmed, but the design is fundamentally insecure.

🔑 Section 1: Weak Password Reset

Vulnerability: Predictable Reset Token in URL

Many applications expose password reset tokens in URLs. If these tokens are predictable, sequential, or reusable, attackers can reset other users' passwords.

Password Reset Link:

❌ What's Wrong?

  • Token in URL: Reset token is visible in the browser address bar
  • Predictable Token: Token is based on timestamp (easily guessable)
  • No Expiration: Token doesn't expire
  • Reusable: Token can be used multiple times

✅ Secure Implementation:

  • Use cryptographically secure random tokens (UUID, crypto.randomBytes)
  • Send token via email only, not in URL parameters
  • Set short expiration time (15-30 minutes)
  • Single-use tokens (invalidate after use)
  • Rate limit reset requests
  • Require email verification

🔢 Section 2: Broken OTP Verification

Vulnerability: OTP Exposed in HTML Comments

This simulates a common mistake where sensitive data (like OTP codes) is leaked in HTML comments, JavaScript source, or API responses.

Verification Result:

❌ What's Wrong?

  • OTP in HTML Comments: Right-click → View Page Source to see the OTP!
  • No Rate Limiting: Unlimited attempts allowed
  • Predictable OTP: Simple sequential numbers
  • No Expiration: OTP never expires

💡 How to Find It:

Right-click on this page and select "View Page Source". Search for "DEBUG" or "OTP" in the HTML. You'll find the correct OTP in a comment!

✅ Secure Implementation:

  • Never expose OTP in client-side code
  • Verify OTP on server-side only
  • Implement rate limiting (max 3-5 attempts)
  • Use short expiration (5-10 minutes)
  • Use cryptographically secure random numbers
  • Invalidate OTP after successful use

🎫 Section 3: Session Fixation

Vulnerability: Session ID in URL Parameter

Session Fixation occurs when an application accepts session IDs from URL parameters or doesn't regenerate session IDs after authentication.

Session Information:

❌ What's Wrong?

  • Session ID in URL: Session ID exposed in browser address bar
  • No Regeneration: Same session ID before and after login
  • Predictable ID: Sequential or timestamp-based session IDs
  • Accepts External ID: Application accepts session IDs from URL parameters

🎯 Attack Scenario:

  1. Attacker generates a session: ?sessionid=12345
  2. Attacker tricks victim into clicking: vulnerable-site.com?sessionid=12345
  3. Victim logs in with the attacker's session ID
  4. Attacker now has access using sessionid=12345

✅ Secure Implementation:

  • Never accept session IDs from URL parameters
  • Store session IDs in HTTP-only cookies
  • Regenerate session ID after login
  • Use cryptographically random session IDs
  • Set Secure and SameSite flags on cookies
  • Implement session timeout

⚠️ Real-World Impact of Account Takeover

🔍 Common ATO Techniques