ROOT /

CyberSecurity /

Web /

100BugBountySecrets /

secret13.md

65 lines | UTF-8 | 2 KB

Blame

Firing 8 Account Takeover Methods 🔥

1. Unicode Normalization Issue

victim account [email protected]
create an account using Unicode
example: vić[email protected]
list of Unicode character: https://en.wikipedia.org/wiki/List_of_Unicode_characters
Note: check where verification doesn’t require

2. Authorization Issue

change email of Account Aand put email B
check confirmation mail in account B
open the confirmation mail from account C
Taken over Account C

3. Reusing Reset Token

if target allows you to reuse the reset link then hunt for more reset link via gau, wayback or urlscan.io

4. Pre Account Takeover

signup using normal signup form as a hacker but hacker has no verification link.
then if victim signs up using oauth .
Verification bypass now attacker can login the victim account without verification link with the password he entered while registering.

5. CORS Misconfiguration to Account Takeover

check api , any endpoint has access access token/session/secret/fingerprint
if yes check for CORS misconfiguration does it allow us to fetch data from target?
make a payload to fetch data and replace headers and boom

6. CSRF to Account Takeover

if profile modification in cookie based authentication doesn’t generate any token
open Account A change&Put email that you own click save intercept the request and generate a csrf poc.
if fully cookie based auth then you dont have to modify anything send the csrf file to victim.
if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target
hint: password reset page helps many times for UUID/GUID and UserID

7. Host Header Injection

well in this case there are 4 ways do that.
click reset password change host header.
or change proxy header ex: X-Forwarded-For: attacker.com
or change host, referrer, origin headers at once as attacker.com
click reset then click resend mail and do all 3 methods above

8. Response Manipulation

code manipulation * to 200 OK
code and body manipulation code * to 200 OK body * to {"success":true} or {} it works when json is being used to transfer and receive data.

Credit

Based on 0xMaruf's writeup.

Support

You can Follow me on twitter or

Please wait...

Page is in error, reload to recover