STRLCPY/NafisiAslH-KnowledgeSharing

Create secret13.md
Hossein NafisiAsl committed with GitHub 1 year ago

61843737

1 parent 55740d09

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

CyberSecurity/Web/100BugBountySecrets/secrets/secret13.md

1	+	# Firing 8 Account Takeover Methods 🔥
2	+
3	+	### 1. Unicode Normalization Issue
4	+	- victim account `[email protected]`
5	+	- create an account using Unicode
6	+	- example: `vić[email protected]`
7	+	- list of Unicode character: [https://en.wikipedia.org/wiki/List_of_Unicode_characters](https://en.wikipedia.org/wiki/List_of_Unicode_characters)
8	+	- Note: check where verification doesn’t require
9	+	<br>
10	+
11	+	### 2. Authorization Issue
12	+	- change email of Account Aand put email `B`
13	+	- check confirmation mail in account `B`
14	+	- open the confirmation mail from account `C`
15	+	- Taken over Account `C`
16	+	<br>
17	+
18	+	### 3. Reusing Reset Token
19	+	- if target allows you to reuse the reset link then hunt for more reset link via `gau`, `wayback` or `urlscan.io`
20	+	<br>
21	+
22	+	### 4. Pre Account Takeover
23	+	- signup using normal signup form as a hacker but hacker has no verification link.
24	+	- then if victim signs up using oauth .
25	+	- Verification bypass now attacker can login the victim account without verification link with the password he entered while registering.
26	+	<br>
27	+
28	+	### 5. CORS Misconfiguration to Account Takeover
29	+	- check api , any endpoint has access access token/session/secret/fingerprint
30	+	- if yes check for CORS misconfiguration does it allow us to fetch data from target?
31	+	- make a payload to fetch data and replace headers and boom
32	+	<br>
33	+
34	+	### 6. CSRF to Account Takeover
35	+	- if profile modification in cookie based authentication doesn’t generate any token
36	+	- open Account `A` change&Put email that you own click save intercept the request and generate a csrf poc.
37	+	- if fully cookie based auth then you dont have to modify anything send the csrf file to victim.
38	+	- if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target
39	+	- hint: password reset page helps many times for UUID/GUID and UserID
40	+	<br>
41	+
42	+	### 7. Host Header Injection
43	+	- well in this case there are 4 ways do that.
44	+	- click reset password change `host` header.
45	+	- or change proxy header ex: `X-Forwarded-For: attacker.com`
46	+	- or change `host`, `referrer`, `origin` headers at once as `attacker.com`
47	+	- click reset then click resend mail and do all 3 methods above
48	+	<br>
49	+
50	+	### 8. Response Manipulation
51	+	1. code manipulation * to `200 OK`
52	+	2. code and body manipulation
53	+	code * to `200 OK`
54	+	body * to `{"success":true}` or `{}`
55	+	it works when json is being used to transfer and receive data.
56	+	<br>
57	+
58	+	## Credit
59	+	Based on [0xMaruf](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)'s writeup.
60	+	<br>
61	+
62	+	## Support
63	+	You can Follow [me](https://twitter.com/MeAsHacker_HNA) on twitter or
64	+	<br><br><a href="https://www.buymeacoffee.com/NafisiAslH" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>
65	+

Create secret13.md