-
Hossein NafisiAsl committed with GitHub 1 year ago1 parent 55740d09
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
-
1 + # Firing 8 Account Takeover Methods 🔥 2 + 3 + ### 1. Unicode Normalization Issue 4 + - victim account `[email protected]` 5 + - create an account using Unicode 6 + - example: `vić[email protected]` 7 + - list of Unicode character: [https://en.wikipedia.org/wiki/List_of_Unicode_characters](https://en.wikipedia.org/wiki/List_of_Unicode_characters) 8 + - Note: check where verification doesn’t require 9 + <br> 10 + 11 + ### 2. Authorization Issue 12 + - change email of Account Aand put email `B` 13 + - check confirmation mail in account `B` 14 + - open the confirmation mail from account `C` 15 + - Taken over Account `C` 16 + <br> 17 + 18 + ### 3. Reusing Reset Token 19 + - if target allows you to reuse the reset link then hunt for more reset link via `gau`, `wayback` or `urlscan.io` 20 + <br> 21 + 22 + ### 4. Pre Account Takeover 23 + - signup using normal signup form as a hacker but hacker has no verification link. 24 + - then if victim signs up using oauth . 25 + - Verification bypass now attacker can login the victim account without verification link with the password he entered while registering. 26 + <br> 27 + 28 + ### 5. CORS Misconfiguration to Account Takeover 29 + - check api , any endpoint has access access token/session/secret/fingerprint 30 + - if yes check for CORS misconfiguration does it allow us to fetch data from target? 31 + - make a payload to fetch data and replace headers and boom 32 + <br> 33 + 34 + ### 6. CSRF to Account Takeover 35 + - if profile modification in cookie based authentication doesn’t generate any token 36 + - open Account `A` change&Put email that you own click save intercept the request and generate a csrf poc. 37 + - if fully cookie based auth then you dont have to modify anything send the csrf file to victim. 38 + - if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target 39 + - hint: password reset page helps many times for UUID/GUID and UserID 40 + <br> 41 + 42 + ### 7. Host Header Injection 43 + - well in this case there are 4 ways do that. 44 + - click reset password change `host` header. 45 + - or change proxy header ex: `X-Forwarded-For: attacker.com` 46 + - or change `host`, `referrer`, `origin` headers at once as `attacker.com` 47 + - click reset then click resend mail and do all 3 methods above 48 + <br> 49 + 50 + ### 8. Response Manipulation 51 + 1. code manipulation * to `200 OK` 52 + 2. code and body manipulation 53 + code * to `200 OK` 54 + body * to `{"success":true}` or `{}` 55 + it works when json is being used to transfer and receive data. 56 + <br> 57 + 58 + ## Credit 59 + Based on [0xMaruf](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)'s writeup. 60 + <br> 61 + 62 + ## Support 63 + You can Follow [me](https://twitter.com/MeAsHacker_HNA) on twitter or 64 + <br><br><a href="https://www.buymeacoffee.com/NafisiAslH" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a> 65 +