Expensify example for ghost logins

pushsecurity / saas-attacks

Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face. #nolockdown

https://pushsecurity.com/blog/saas-attack-techniques/

Creative Commons Attribution 4.0 International

1.13k stars 75 forks source link

Expensify example for ghost logins #22

Closed jukelennings closed 1 year ago

jukelennings commented 1 year ago

While exploring this, it's clear there are a bunch of other applicable techniques for expensify so I'm just going to hijack this issue to keep track of a bunch of them:

Ghost logins
Passwordless logins
Account ambushing
Username enumeration

There are a couple more I'm still trying to validate but will add once I've figure it out.

jukelennings commented 1 year ago

Tagging the following on to this now too:

SAML enumeration

SAMLjacking I am leaving off due to the requirement for domain validation and inability to invite external users. Technically, it's possible to SAMLjack and I have confirmed and tested but it's not much use when you can only do it with email addresses for a domain you have admin control over.

jukelennings commented 1 year ago

Retrospectively removing account ambushing as it seems none of the persistence methods actually work fully end-to-end in an account ambushing scenario:

Co-pilot features do not appear until a validated email is present
Secondary logins become primary automatically when validating, which then causes a problem when the target user tries to login (it alerts them of the second email and requests validation by that)
Unvalidated secondary logins remain secondary but then require action by the target user once they have logged in