Account Takeover

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Authorization Issue

The email of an account should be attempted to be changed, and the confirmation process must be examined. If found to be weak, the email should be changed to that of the intended victim and then confirmed.

Unicode Normalization Issue

The account of the intended victim victim@gmail.com
An account should be created using Unicode
for example: vićtim@gmail.com

For further details, refer to the document on Unicode Normalization:

unicode-normalization.md

Reusing Reset Token

Should the target system allow the reset link to be reused, efforts should be made to find more reset links using tools such as gau, wayback, or scan.io.

Pre Account Takeover

The victim's email should be used to sign up on the platform, and a password should be set (an attempt to confirm it should be made, although lacking access to the victim's emails might render this impossible).
One should wait until the victim signs up using OAuth and confirms the account.
It is hoped that the regular signup will be confirmed, allowing access to the victim's account.

CORS Misconfiguration to Account Takeover

If the page contains CORS missconfigurations you might be able to steal sensitive information from the user to takeover his account or make him change auth information for the same purpose:

Csrf to Account Takeover

If the page is vulnerable to CSRF you might be able to make the user modify his password, email or authentication so you can then access it:

XSS to Account Takeover

If you find a XSS in application you might be able to stal cookies, local storage, or info from the web page that could allow you takeover the account:

Same Origin + Cookies

If you find a limited XSS or a subdomain take over, you could play with the cookies (fixating them for example) to try to compromise the victim account:

Attacking Password Reset Mechanism

Response Manipulation

If the authentication response could be reduced to a simple boolean just try to change false to true and see if you get any access.

OAuth to Account takeover

Host Header Injection

The Host header is modified following a password reset request initiation.
The X-Forwarded-For proxy header is altered to attacker.com.
The Host, Referrer, and Origin headers are simultaneously changed to attacker.com.
After initiating a password reset and then opting to resend the mail, all three of the aforementioned methods are employed.

Response Manipulation

Code Manipulation: The status code is altered to 200 OK.
Code and Body Manipulation:
- The status code is changed to 200 OK.
- The response body is modified to {"success":true} or an empty object {}.

These manipulation techniques are effective in scenarios where JSON is utilized for data transmission and receipt.

Change email of current session

From this report:

Attacker requests to change his email with a new one
Attacker receives a link to confirm the change of the email
Attacker send the victim the link so he clicks it
The victims email is changed to the one indicated by the attacker
The attack can recover the password and take over the account

This also happened in this report.

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag
Discover The PEASS Family, our collection of exclusive NFTs
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

External Recon Methodology

Pentesting Network

Pentesting Wifi

Phishing Methodology

Basic Forensic Methodology

Memory dump analysis

Partitions/File Systems/Carving

Pcap Inspection

Specific Software/File-Type Tricks

Windows Artifacts

Python Sandbox Escape & Pyscript

Bypass Python sandboxes

Shells (Linux, Windows, MSFVenom)

Linux Privilege Escalation

Docker Security

Docker Breakout / Privilege Escalation

Namespaces

Interesting Groups - Linux Privesc

Bypass Linux Restrictions

Bypass FS protections: read-only / no-exec / Distroless

Linux Post-Exploitation

macOS Security & Privilege Escalation

macOS Apps - Inspecting, debugging and Fuzzing

macOS Kernel & System Extensions

macOS Files, Folders, Binaries & Memory

macOS Process Abuse

macOS IPC - Inter Process Communication

macOS Library Injection

macOS Security Protections

macOS Sandbox

macOS TCC

macOS FS Tricks

macOS Red Teaming

macOS MDM

Windows Local Privilege Escalation

Dll Hijacking

Active Directory Methodology

Abusing Active Directory ACLs/ACEs

AD Certificates

Windows Security Controls

NTLM

Lateral Movement

Stealing Windows Credentials

Basic PowerShell for Pentesters

Android Applications Pentesting

Drozer Tutorial

Frida Tutorial

iOS Pentesting

Pentesting VoIP

Basic VoIP Protocols

21 - Pentesting FTP

25,465,587 - Pentesting SMTP/s

80,443 - Pentesting Web Methodology

Buckets

Drupal

Electron Desktop Apps

PHP Tricks

PHP - Useful Functions & disable_functions/open_basedir bypass

Tomcat

88tcp/udp - Pentesting Kerberos

139,445 - Pentesting SMB

161,162,10161,10162/udp - Pentesting SNMP

1433 - Pentesting MSSQL - Microsoft SQL Server

11211 - Pentesting Memcache

Reflecting Techniques - PoCs and Polygloths CheatSheet

Browser Extension Pentesting Methodology

Cache Poisoning and Cache Deception

Content Security Policy (CSP) Bypass

Cookies Hacking

Dangling Markup - HTML scriptless injection

Deserialization

NodeJS - __proto__ & prototype Pollution

File Inclusion/Path traversal

File Upload

HTTP Request Smuggling / HTTP Desync Attack

Login Bypass

PostMessage Vulnerabilities

SAML Attacks

SQL Injection

MySQL injection

NodeJS - proto & prototype Pollution

Account Takeover

Authorization Issue

Unicode Normalization Issue

Reusing Reset Token

Pre Account Takeover

CORS Misconfiguration to Account Takeover

Csrf to Account Takeover

XSS to Account Takeover

Same Origin + Cookies

Attacking Password Reset Mechanism

Response Manipulation

OAuth to Account takeover

Host Header Injection

Response Manipulation

Change email of current session

References