CSP-CERT® Resources:
Session Management Resulting to Account Takeover

by CSP-CERT® VAPT Team Manager - John Patrick Lita
posted October 2017

Greetings everyone! this is jaypee again and today i am going to share to you one of my findings in my former employer Globe Telecom, with the approval and consent of my former Boss Mr.Anton Bonifacio; CISO of Globe Telecom with his passion about security, i am able to produce this article to share in the community to develop security awareness.

Today we are going to discuss Session Management Resulting to Account Takeover in any Globe Telecom customer account.

Ok now we have an account in Globe Portal, one of my task in globe telecom is to ensure all the information of their clients is secured from data leaks etc... as part of the Information Security Data Privacy as Information Security Consultant all application of globe telecom needs to passed the Security Risk Assessment before the application release in public.

Again i use Burp Suite for this Assessment, first we need to login on the application and we are going to monitor the HTTP Request and HTTP Response of the application and this is the HTTP Request of the application

it's on the process to check every Request and Response of the application to have a better understanding on the applications behaviour. then i just continue to forward the request this process what we call a passive recon for web application security (HTTP Header Analysis).

Now it gets may attention on the HTTP Header Response, and again GET Method is there and it gets my attention again.

GET /c/portal/login?ticket= tokenvalue HTTP/1.1, alright lets proceed to test the application for possible security flaw so i copy the URL of the GET Method, remember that our login process is not yet done it means its on the middle of the process of retrieving and rendering the application.

once we copy the URL we are going to paste the URL on the other Browser and see what is the response of the web application and we are lucky to find this flaw after pasting the url on the other browser the result is

we are able to takeover the session of the customer without entering his/her username and password on the application, The server or application cannot determine who owns the session token.

the image above we are able to see the information of the victims account. Now the question is what is the effect on the victims session? well i am not able to screenshot the process on the victims session since i need to report this ASAP to push a fix.

The result on the victims session is just a blank page/empty content of the application. on the attacker side he/she can change the password of the victims account that resulting to account takeover.

Thanks and Regards!