From b7547cc17122054affccef9cb1abbf4ca9574c86 Mon Sep 17 00:00:00 2001 From: paupaulaz <33202324+paupaulaz@users.noreply.github.com> Date: Sun, 22 Nov 2020 10:52:20 +0100 Subject: [PATCH] Puts the H1 reports at the right place The HackerOne reports mentioned in this doc are referring to Request Smuggling, not CSRF --- Account Takeover/README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/Account Takeover/README.md b/Account Takeover/README.md index 5c4431b..1f566a1 100644 --- a/Account Takeover/README.md +++ b/Account Takeover/README.md @@ -135,17 +135,16 @@ Refer to **HTTP Request Smuggling** vulnerability page. GET http://something.burpcollaborator.net HTTP/1.1 X: X ``` + +Hackerone reports exploiting this bug +* https://hackerone.com/reports/737140 +* https://hackerone.com/reports/771666 ## Account Takeover via CSRF 1. Create a payload for the CSRF, e.g: "HTML form with auto submit for a password change" 2. Send the payload -Hackerone reports exploiting this bug -* https://hackerone.com/reports/737140 -* https://hackerone.com/reports/771666 - - ## Account Takeover via JWT JSON Web Token might be used to authenticate an user.