If the operations of adding a new email address or changing an existing one do not require password confirmation, session hijacking, XSS or CSRF can lead to account takeover.
An application can return unknown data in response when performing an operation. These can be requested passwords, generated OTP, cookies with additional privileges, user data, detailed error messages, and etc. Check the response from the server for such data.
An applications can use
Hostheader value for generating a password recovery link. If an application is vulnerable to
Hostheader poisoning, you can affect the link and specify your domain name. As a result, if a victim follows the link from the email, a recovery token will leak to your domain.
There are several ways to implement
You can try to replace the
Hostheader on your domain. Examples of vulnerable requests:
Components in a delivery chain, such as proxies, can pass an original host requested by the client using additional of HTTP headers:
You can try to use these headers for identifying the original host requested by the client in the
POST /users/password HTTP/1.1
You can try to specify several
Hostheaders. Example of vulnerable request:
Password recovery method can accept multiple recovery emails in one request. However, the method can search for an account to create a one-time token based on only one email, but send an email with a recovery link to all passed emails at once. For instance, if an application is vulnerable to such an attack, on the following request:
an application sends the same recovery link to two email addresses.
You can also try the following payloads:
Try to request an one-time token for your account and use them to recover a victim's account:
Successful password recovery should end previously created sessions. If this does not happen, an victim will not have mechanisms for managing the security of their account. As a result, an attacker will be able to maintain an active session for an extended period of time.
The Referer HTTP request header contains an absolute or partial address of the page that makes the request. The
Refererheader allows a server to identify a page where people are visiting it from. This data is used for analytics, logging, optimized caching, and more.
The Referer header can contain an
querystring, and may not contain URL fragments (i.e.
username:passwordinformation. The request's referrer policy defines the data that can be included, see Referrer-Policy.
A page with a password recovery, a link to which an application sends by email, can load third-party scripts, for instance, analytics, or contain links to third-party resources, for instance, social networks. If the password recovery link is passed into the
Refererheader when requesting these resources, an one-time token is leaked to a third-party resource, since it is passed to the
If an application does not set rate limits on resending OTP and resending OTP resets the set rate limits on attempts to enter OTP, an application is vulnerable to OTP bruteforce.
If an application allows using of old OTPs that have been used or re-generated, any leakage of OTPs (for example, to logs or third-party services) will compromise the functionality that relies on OTPs.
An application can implement the authentication flow as the following one:
- 1.An application calls
/SessionCreateendpoint with a mobile phone number of a user
- 2.A backend creates a session for a user and returns a session token, but no operations with this session are possible until the verification is complete
- 3.An SMS message is sent to a user with a verification code
- 4.An application calls
/SessionVerifyendpoint with both the session token and the verification code received by SMS
- 5.Once this request is successfully completed, the session token becomes valid and the user is now logged in
If subsequent calls to
/SessionCreatereturn the same session token as the first one until a call to
/SessionVerify, you can use
/SessionCreateendpoint to fecth a session token, that will valid after victim's authentication.
If during the OTP check an application additionally uses some parameters, try to use a value from a request for a different account. This parameter can be a cookie, header, or request parameter. If you use the parameter value for a victim in the OTP check request for an attacker, you can get into a victim account or bypass two-factor authentication.
Additionally, try to re-use the valid OTP value for an attacker as the OTP value for a victim. If an application does not verify that the OTP belongs to an attacker, you will be able to get into a victrim account or bypass two-factor authentication.
An application can use short (less 5 digits) and/or long-lived OTPs. Such implementation leaves many ways to bruteforce, especially if there are no rate limits, or they are weak or can be bypassed.
Applications that implement third party sign-in or sign-up often identify users based on the attached email address that the third party application sends. In such cases, you can try sign-in or sign-up with two different third-party applications that are linked to the same email address. Sometimes these two accounts can be joined and you will have access to the victim's account by sign-in or sign-up with your third-party application account.
- 2.Try sign-in or sign-up at
- 3.If the application is vulnerable, you will have access to the victim's account
If an application does not set rate limits on login attempts, try to craft a dictionary and bruteforce a password.
One of the implementations of rate limits uses a username or email as an identifier to count attempts. Try to bypass the protection by using extra spaces or upper/lower case:
You can use the following links:
You can use the following lists:
Try to login with default credentials into admin panels, third-party services, middleware, and etc.
You can use the following lists:
Most applications store hashes of user passwords and do not store passwords in clear text. Accordingly, an application hashes passed password and checks the hash against the one stored in a database when authenticating a user. Moreover, functions with sliding computational cost are often used as a hashing function, the computational complexity of which is much higher than common hash functions such as
sha256. Therefore, if an application does not implement restrictions on the length of passwords, this can be used for DoS: hashing very long passwords can be resource intensive.