Skip to content

Commit 5f791b8

Browse files
carlospolopcarlospolop
authored
Merge pull request #1769 from HackTricks-wiki/update_Steal_DATR_Cookie_20260116_184020
Steal DATR Cookie
2 parents 4760813 + 37e46aa commit 5f791b8

1 file changed

Lines changed: 21 additions & 0 deletions

File tree

src/pentesting-web/account-takeover.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,11 +151,32 @@ This also happened in [**this report**](https://dynnyd20.medium.com/one-click-ac
151151
As explained [**in this post**](https://medium.com/@niraj1mahajan/uncovering-the-hidden-vulnerability-how-i-found-an-authentication-bypass-on-shopifys-exchange-cc2729ea31a9), it was possible to login into an account, save the cookies as an authenticated user, logout, and then login again.\
152152
With the new login, although different cookies might be generated the old ones became to work again.
153153

154+
### Trusted device cookies + batch API leakage
155+
156+
*Long-lived device identifiers that gate recovery can be stolen when a batch API lets you copy unreadable subresponses into writable sinks.*
157+
158+
- Identify a **trusted-device cookie** (`SameSite=None`, long-lived) used to relax recovery checks.
159+
- Find a **first-party endpoint** that returns that device ID in JSON (e.g., an OAuth `code` exchange returning `machine_id`) but is not readable cross-origin.
160+
- Use a **batch/chained API** that allows referencing earlier subresponses (`{result=name:$.path}`) and writing them to an attacker-visible sink (page post, upload-by-URL, etc.). Example with Facebook Graph API:
161+
162+
```http
163+
POST https://graph.facebook.com/
164+
batch=[
165+
{"method":"post","omit_response_on_success":0,"relative_url":"/oauth/access_token?client_id=APP_ID%26redirect_uri=REDIRECT_URI","body":"code=SINGLE_USE_CODE","name":"leaker"},
166+
{"method":"post","relative_url":"PAGE_ID/posts","body":"message={result=leaker:$.machine_id}"}
167+
]
168+
access_token=PAGE_ACCESS_TOKEN&method=post
169+
```
170+
171+
- Load the batch URL in a hidden `<iframe>` so the victim sends the trusted-device cookie; the JSON-path reference copies `machine_id` into the attacker-controlled post even though the OAuth response is unreadable to the page.
172+
- Replay: set the stolen device cookie in a new session. Recovery now treats the browser as trusted, often exposing weaker “no email/phone” flows (e.g., automated document upload) to add an attacker email without the password or 2FA.
173+
154174
## References
155175

156176
- [https://blog.hackcommander.com/posts/2025/12/28/turning-a-harmless-xss-behind-a-waf-into-a-realistic-phishing-vector/](https://blog.hackcommander.com/posts/2025/12/28/turning-a-harmless-xss-behind-a-waf-into-a-realistic-phishing-vector/)
157177
- [https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)
158178
- [https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea](https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea)
159179
- [0xdf – HTB Era: security-question IDOR & username oracle](https://0xdf.gitlab.io/2025/11/29/htb-era.html)
180+
- [Steal DATR Cookie](https://ysamm.com/uncategorized/2026/01/15/steal-dtsg-cookie.html)
160181
{{#include ../banners/hacktricks-training.md}}
161182

0 commit comments

Comments
 (0)