Firing 8 Account Takeover Methods

Photo by Arget on Unsplash

Hello! this is Md Maruf Hosan a bug bounty hunter from Bangladesh.
I am gonna be firing some account takeover methods

1. Unicode Normalization Issue
   1. victim account victim@gmail.com
   2. create an account using Unicode
   example: vićtim@gmail.com
   here is ć is an Unicode character
2. list of Unicode character: https://en.wikipedia.org/wiki/List_of_Unicode_characters
   Note: check where verification doesn’t require
3. Authorization Issue
   1. change email of Account A and put email B
   2. check confirmation mail in account B
   3. open the confirmation mail from account C
   Taken over Account C
4. Reusing Reset Token
   if target allows you to reuse the reset link then hunt for more reset link via gau ,wayback or urlscan.io
5. Pre Account Takeover
   1. signup using normal signup form as a hacker but hacker has no verification link.
   2. then if victim signs up using oauth .
   3. Verification bypass now attacker can login the victim account without verification link with the password he entered while registering.
6. CORS Misconfiguration to Account Takeover
   1. check api , any endpoint has access access token/session/secret/fingerprint
   2. if yes check for CORS misconfiguration does it allow us to fetch data from target?
   3. make a payload to fetch data and replace headers and boom
7. Csrf to Account Takeover
   if profile modification in cookie based authentication doesn’t generate any token
   1. open Account A change&Put email that you own click save intercept the request and generate a csrf poc.
   2. if fully cookie based auth then you dont have to modify anything send the csrf file to victim.
   3. if it requires UUID/UserID or unique token it becomes hard to do that but that doesn't mean it is secure , just start playing with target
   hint: password reset page helps many times for UUID/GUID and UserID
8. Host Header Injection
   well in this case there are 4 ways do that.
   1. click reset password change host header.
   2. or change proxy header ex: X-Forwarded-For: attacker.com
   3. or change host, referrer, origin headers at once as attacker.com
   4. click reset then click resend mail and do all 3 methods above
9. Response Manipulation
   1. code manipulation * to 200 OK
   2. code and body manipulation
   code * to 200 OK
   body * to {"success":true} or {}
   it works when json is being used to transfer and receive data.

kick me on twitter: @0xmaruf

Share this on twitter:

https://twitter.com/0xMaruf/status/1582586936136384512?t=_oWdTwpqf1SpEurmIXWbpA&s=19

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!