hacktricks/pentesting-web/account-takeover.md

# Account Takeover

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

## **Authorization Issue**

The email of an account should be attempted to be changed, and the confirmation process **must be examined**. If found to be **weak**, the email should be changed to that of the intended victim and then confirmed.

## **Unicode Normalization Issue**

1. The account of the intended victim `victim@gmail.com`
2. An account should be created using Unicode\
   for example: `vićtim@gmail.com`

For further details, refer to the document on Unicode Normalization:

[unicode-normalization.md](unicode-injection/unicode-normalization.md)

## **Reusing Reset Token**

Should the target system allow the **reset link to be reused**, efforts should be made to **find more reset links** using tools such as `gau`, `wayback`, or `scan.io`.

## **Pre Account Takeover**

1. The victim's email should be used to sign up on the platform, and a password should be set (an attempt to confirm it should be made, although lacking access to the victim's emails might render this impossible).
2. One should wait until the victim signs up using OAuth and confirms the account.
3. It is hoped that the regular signup will be confirmed, allowing access to the victim's account.


## **CORS Misconfiguration to Account Takeover**

If the page contains **CORS missconfigurations** you might be able to **steal sensitive information** from the user to **takeover his account** or make him change auth information for the same purpose:

{% content-ref url="cors-bypass.md" %}
[cors-bypass.md](cors-bypass.md)
{% endcontent-ref %}

## **Csrf to Account Takeover**

If the page is vulnerable to CSRF you might be able to make the **user modify his password**, email or authentication so you can then access it:

{% content-ref url="csrf-cross-site-request-forgery.md" %}
[csrf-cross-site-request-forgery.md](csrf-cross-site-request-forgery.md)
{% endcontent-ref %}

## **XSS to Account Takeover**

If you find a XSS in application you might be able to stal cookies, local storage, or info from the web page that could allow you takeover the account:

{% content-ref url="xss-cross-site-scripting/" %}
[xss-cross-site-scripting](xss-cross-site-scripting/)
{% endcontent-ref %}

## **Same Origin + Cookies**

If you find a limited XSS or a subdomain take over, you could play with the cookies (fixating them for example) to try to compromise the victim account:

{% content-ref url="hacking-with-cookies/" %}
[hacking-with-cookies](hacking-with-cookies/)
{% endcontent-ref %}

## **Attacking Password Reset Mechanism**

{% content-ref url="reset-password.md" %}
[reset-password.md](reset-password.md)
{% endcontent-ref %}

## **Response Manipulation**

If the authentication response could be **reduced to a simple boolean just try to change false to true** and see if you get any access.

## OAuth to Account takeover

{% content-ref url="oauth-to-account-takeover.md" %}
[oauth-to-account-takeover.md](oauth-to-account-takeover.md)
{% endcontent-ref %}

## Host Header Injection

1. The Host header is modified following a password reset request initiation.
2. The `X-Forwarded-For` proxy header is altered to `attacker.com`.
3. The Host, Referrer, and Origin headers are simultaneously changed to `attacker.com`.
4. After initiating a password reset and then opting to resend the mail, all three of the aforementioned methods are employed.

## Response Manipulation

1. **Code Manipulation**: The status code is altered to `200 OK`.
2. **Code and Body Manipulation**: 
   - The status code is changed to `200 OK`.
   - The response body is modified to `{"success":true}` or an empty object `{}`. 

These manipulation techniques are effective in scenarios where JSON is utilized for data transmission and receipt.


## References

* [https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>