Account Takeover

1. Chaining Session Hijacking with XSS

1.I have added a session hijacking method in broken authentication and session management. 
2.If you find that on target.
3.Try anyway to steal cookies on that target.
4.Here I am saying look for xss .
5.If you find xss you can steal the cookies of victim and using session hijacking you can takeover the account of victim.

2. No Rate Limit On Login With Weak Password Policy

So if you find that target have weak password policy, try to go for no rate limit attacks in poc shows by creating very weak password of your account.

(May or may not be accepted)

3. Password Reset Poisoning Leads To Token Theft

1.Go to password reset funtion.
2.Enter email and intercept the request.
3.Change host header to some other host i.e,
    Host:target.com
    Host:attacker.com
  also try to add some headers without changing host like
    X-Forwarded-Host: evil.com
    Referrer: https://evil.com
4. Forward this if you find that in next request attacker.com means you managed to successfully steal the token. :)

4. Password Reset using Forgot Password

1. Go to the password reset function.
2. Enter the email and intercept the request.
3. In the email parameter, enter the victim user's email and click on “Send” button
* If the email parameter is not there, add it and send 
4. The application will reset the victim user password, and the account has been taken over.

5. Using Auth Bypass

Check out the Auth Bypass method, there is a method for OTP bypass via response manipulation, this can leads to account takeovers.
1. Enter the wrong auth code / Password
2. Capture an auth request in Burp Suite and send it to repeater 
3. Check for the response
4. Change the response by manipulating the following parameters
  {“code”:”invalid_credentials”} -> {“code”:”valid_credentials”}
  {“verify”:”false”}             -> {“verify”:”true”}
  
  

6. Try For CSRF On

1. Change Password function.
2 .Email change
3 .Change Security Question

7. Token Leaks In Response

• So there are multiple ways to do it but all are same.

• So I will sharing my method that I have learnt here .

• Endpoints:(Register,Forget Password)

• Steps(For Registration):

  1. For registration intercept the signup request that contains the data you have entered.
  2. Click on action -> do -> intercept the response to this request.
  3. Click forward.
  4. Check response if that contains any link, any token or OTP.

---

• Steps (For password reset):

 1. Intercept the forgot password option.
 2. Click on action -> do -> intercept the response to this request.
 3. Click forward.
 4. Check response if that contains any link,any token or OTP.

8. Pre-Account Takeover

A pre-account takeover occurs when an attacker creates a user account using one signup method and the victim creates another account using a different signup method using the same email address. Because the email addresses are the same, the application connects the two accounts. when the app is unable to validate email addresses.

How to hunt:-
    Try registering any email address without verifying it.
    Try registering an account again, but this time with a different method, such as ‘sign up with Google’ from same email address.
    Because both email addresses are the same, the web application will link the two accounts.
    Now, try logging in using the specified password and username. Check to see whether you can see information from that account that was retrieved via Google.

9. password reset

1. Check if you can brute force the password reset OTP
2. test for token predictability
3. Test for JWT misconfigurations
4. Check if the password reset endpoint is vulnerable to IDOR
5. Check if the password reset endpoint is vulnerable to Host Header injection
6. Check if the password reset endpoint is leaking the token or OTP in the HTTP response
7. Check if the application validates the OTP or Token
8. Test for HTTP parameter Pollution (HPP)

Reference:

• Various Sources From Google,Twitter, Medium

• https://avanishpathak.medium.com/an-account-takeover-vulnerability-due-to-response-manipulation-e23fe629bd1