hacktricks/pentesting-web/account-takeover.md
2023-02-16 18:26:56 +00:00

5.7 KiB

Account Takeover

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥

Authorization Issue

Try to change the email of an account and check how the confirmation works. If weak, try to change the email to the victim one and confirm it.

Unicode Normalization Issue

  1. victim account victim@gmail.com
  2. create an account using Unicode
    example: vićtim@gmail.com

{% content-ref url="unicode-injection/unicode-normalization.md" %} unicode-normalization.md {% endcontent-ref %}

Reusing Reset Token

If target allows you to reuse the reset link then hunt for more reset link via gau ,wayback or scan.io

Pre Account Takeover

  1. Signup using the victims email in the platform and set a password (try to confirm if possible, but lacking access to the victim emails might be impossible)
  2. Wait till the victim signs up using oauth and confirms the account
  3. Hopefully, the regular signup will be confirmed and you will be able to enter in the victims account

CORS Misconfiguration to Account Takeover

If the page contains CORS missconfigurations you might be able to steal sensitive information from the user to takeover his account or make him change auth information for the same purpose:

{% content-ref url="cors-bypass.md" %} cors-bypass.md {% endcontent-ref %}

Csrf to Account Takeover

If the page is vulnerable to CSRF you might be able to make the user modify his password, email or authentication so you can then access it:

{% content-ref url="csrf-cross-site-request-forgery.md" %} csrf-cross-site-request-forgery.md {% endcontent-ref %}

XSS to Account Takeover

If you find a XSS in application you might be able to stal cookies, local storage, or info from the web page that could allow you takeover the account:

{% content-ref url="xss-cross-site-scripting/" %} xss-cross-site-scripting {% endcontent-ref %}

Same Origin + Cookies

If you find a limited XSS or a subdomain take over, you could play with the cookies (fixating them for example) to try to compromise the victim account:

{% content-ref url="hacking-with-cookies/" %} hacking-with-cookies {% endcontent-ref %}

Attacking Password Reset Mechanism

{% content-ref url="reset-password.md" %} reset-password.md {% endcontent-ref %}

Response Manipulation

If the authentication response could be reduced to a simple boolean just try to change false to true and see if you get any access.

OAuth to Account takeover

{% content-ref url="oauth-to-account-takeover.md" %} oauth-to-account-takeover.md {% endcontent-ref %}

References

🎙️ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) 🎙️ - 🎥 Youtube 🎥