Hello there, hackers.

I hope you’re doing well and catching a lot of bugs and dollars!

So, for today, I’m here with a comprehensive methodology for recognizing account takeover.

What is an Account takeover?

ATO or Account Hijacking is a kind of Attack, which allows an unauthorized user to gain access to a user’s account by exploiting the vulnerabilities. we can understand like somebody else is able to gain access to someone else account without owning authority.

This attack is the result of a vulnerability that can be found in the signup, login, forgot password, or password change areas. Separated from these are some other vulnerabilities that require user interaction. Let’s locate out what those techniques are :-

Pre-Account Takeover : A pre-account takeover occurs when an attacker creates a user account using one signup method and the victim creates another account using a different signup method using the same email address. Because the email addresses are the same, the application connects the two accounts. when the app is unable to validate email addresses.

How to hunt :-

• Try registering any email address without verifying it.
• Try registering an account again, but this time with a different method, such as ‘sign up with Google’ from same email address.
• Due to the fact that both email addresses are the same, the web application will link the two accounts.
• Now try logging in using the specified password and username. Check to see whether you can see information from that account that was retrieved via Google.

Account takeover due to Improper Rate limit : Rate limitation is a technique for controlling the amount of traffic flowing into and out of a network. In simple terms, no rate limit means there is no mechanism in place to protect you from making too many requests in a short period of time.

If a web application fails to implement this correctly, an attacker can take advantage of the issue and bruteforce authentication. This could result in account takeover.

How to Hunt:-

• capture the request at the login page, while providing username and password.
• send it to intruder and Brute force it.
• Analyze the response and length.

Account takeover by Response & Status code Manipulation : When an attacker sends a request to the server and is able to modify the server’s response, the attacker is able to bypass authentication. This usually happens when validation is only enabled for the client side application and not for the web server.when it only allow logging if certain conditions are met.

Checkout this [ OTP Bypass via Response Manipulation ]

Account takeover by utilizing sensitive data exposure : Sensitive data exposure occurs when a web application failed to properly protect confidential information, resulting in the disclosure of sensitive information or data about users, or anything related to them, to a third party.

Occasionally, the application displays unnecessary data, such as valid OTPs, hashes, or passwords, over the request and response parts. So it’s a good idea to pay attention to the response and request portions. Check out [ All about Information disclosure] for more techniques.

Account takeover via IDOR: An insecure direct object reference happens when an attacker gains direct access to a resource without authorization by utilizing user-supplied input. By exploiting such vulnerabilities, attackers can bypass the authorization procedure and gain direct access to system resources.

IDOR could be in various stages, and endpoints must be identified. A common location for this is the password reset functionality, or any post-authentication page, such as user profile, password change, profile, email, and so on.

Account takeover by Password Reset Poisoning: An attacker uses password reset poisoning to trick a vulnerable website into generating a password reset link that points to a domain they control. This behavior can be exploited to steal the secret tokens required to reset arbitrary users’ passwords, compromising their accounts in the process.

Check out [ All about Password Reset Vulnerabilities] for more techniques that can be used on the password reset function.

How to hunt:-

• Intercept the password reset request in Burp Suite
• Add a following header or edit header in burp suite (try one by one)
• Analyze the response

You can use ngrok server as your attacker server

Host: attacker.com
Host: target.com
X-Forwarded-Host: attacker.com
Host: target.com
Host: attacker.com

Account takeover by exploiting Weak cryptography : Weak cryptography is described as an encryption/decryption algorithm that uses a key that is not long enough. Because the encryption algorithm’s key length is insufficient, it’s possible to break the encryption method and use it for harmful purposes.

For example, resetting passwords with a URL is a common method used in a variety of web services. However, a less secure implementation of this method uses a URL with an easily guessable parameter to identify which account is being reset.

check this [Weak Cryptography in Password Reset to Full Account Takeover ]

Hope this is useful for you guys

Happy Hacking !

Twitter handle :- https://twitter.com/Xch_eater