Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
    • DNS Dangling / NS Takeover
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
    • Amazon Cognito Misconfiguraitons
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page
  • Change Password Feature
  • Change Email Feature
  • Change Numbers Feature
  • Account Delete Feature
  • Other
  • Logout Feature
  • Account Linking
  • Social Media Links

Was this helpful?

Edit on GitHub
  1. Web-AppSec
  2. Features Abuse

Profile - Settings

PreviousNewsletterNextRegistration

Last updated 17 days ago

Was this helpful?

Change Password Feature

Change Name Feature

Change Email Feature

Identify critical features linked to a user's email domain. For instance, consider a target app that grants access to resources based on your email domain. Some apps let you join a team or workspace directly if your email matches the team's domain (e.g., join Victim SITE XYZ only with sample@victimsitexyz[.]com). Others restrict access to documents or videos based on email domain whitelisting. Numerous such opportunities exist where email plays a crucial role.

1️. Log in to your attacker account and change your email address to an attacker-controlled email (e.g., attackeremail@attackerdomain.com). 

2️. You'll likely receive an email confirmation link on your attacker-controlled email (Do not verify it yet). 

3️. Now, change your email to the unregistered email or domain you wish to HIJACK (e.g., victimemail@victimdomain.com). 

4️. This action will send an email verification link to victimemail@victimdomain.com, which you don't have access to. 

5️. Try clicking on the "Email" verification link sent earlier to attackeremail@attackerdomain.com. If the system fails to revoke the previous email verification link, the link for attackeremail@attackerdomain.com could end up verifying the email for victimemail@victimdomain.com, allowing you to claim it as verified.

Once you've claimed an email associated with another organization's domain, identify the associated functions to prove impact and report it to earn some generous bounties

Change Numbers Feature

Account Delete Feature

Other

  • IDOR To ATO

    1- We create an account
    2- Then we log in
    3- go to edit profile
    4- We open burp suite
    5- Then we intercepted to the request to save the modification
    6- We’re gonna change the email to the victim’s email And Enter a new password Through the burpsuite
    7- Then we send the request to the intruder
    8- Now we’re gonna guess the victim’s (user_idx)
    9- We will guess the user_idx
    10- We will guess the user_idx from 1 to 2500
    11- Another note I noticed when accepting the request will be in the response (“result”:1)and when not accepting it will be (“result”:-1)
    12- Therefore, before turning on the intruder, we search for “result”: 1 by Grep in options
    13- Then we turn on the intruder
    14- We will notice after completion, find the user_idx of the victim , and the new password has already been set for this account and therefore we can log in with the email and the new password that we created
  • Browser Cache

    1- Check the response server when sending a request to sure from cache operation.
    2- Send The request to Intruder and send 50 requests.
    3- When you reload the page multiple times, it gives you random data related to multiple users.

Logout Feature

Account Linking

  • ATO Via Response Manipulation

    STEPS TO REPRODUCE
    1. Open a browser in which a user has previously logged into an account, but hasn't logged out.
    2. Open another browser and login using your account
    3. Try to link gmail using your account, it will prompt for a password confirmation, enter your password
    4. Intercept the response and copy it
    5. Go to the victims account and link to gmail again
    6. This time enter any password and intercept response
    7. Paste the copied response from the attacker account
    
    # References
    - <https://hackerone.com/reports/1040373>

Social Media Links

Lack of password confirmation when email change

So suppose we are , now login into the website then

go to account settings and change mail address to 2

a link will be sent to 2, now the user realizes that he have lost access to 2 due to some reasons

so he will probably change mail to the another mail address for e.g which he owns and has access to

go to account settings and change mail address to 2

a link will be sent to 2, now the user realizes that he have lost access to 2 due to some reasons

so he will probably change mail to the another mail address for e.g which he owns and has access to

🕸️
Missing rate limit in current password
password change is confirmed when not matching
CSRF bug on password change
User Account Takeover
Abused 2FA to maintain persistence after a password change
old session dose not expire after password change
XSS via Account Name
ATO PII chained with stored XSS
Unlocking Important Resources with Email Verification Bypass
Writeup: Watch out the links : Account takeover!
No Password Verification on Changing Email Address Cause ATO
Insufficient Session Expiration - Previously issued email change tokens do not expire upon issuing a new email change token'
victim@gmail.com
victim
@gmail.com
victim
@gmail.com
victim
@gmail.com
victim3@gmail.com
Full Account takeover due to OAuth misconfiguration | by Cysky0x1 | Sep, 2023 | Medium
Watch out the links : Account takeover! | by Akash Hamal | Medium
victim
@gmail.com
victim
@gmail.com
victim
@gmail.com
victim3@gmail.com
Ability To Takeover any account by Emaill.
Lack of Password Confirmation for Account Deletion
CSRF with logout action
HackerOne disclosed on HackerOne: Payload delivery via Social Media...HackerOne
Logo