πŸ•΅
πŸ•΅
πŸ•΅
πŸ•΅
HowToHunt
Search…
πŸ•΅
πŸ•΅
πŸ•΅
πŸ•΅
HowToHunt
HowToHunt.md
Account Takeover Methodology
Account Takeover Methodology
Application Level DoS
Application Level DoS Methods
Authentication Bypass
2FA Bypasses
OTP Bypass
Broken-Link Hijacking
Broken-Link Hijacking
Broken Auth And Session Management
Session Based Bugs
CMS
Wordpress
Moodle
CORS
CORS
CORS Bypasses
CSRF
CSRF
CSRF Bypass
Finding CVEs
CVES
CheckList
Web Application Pentesting Checklist
Web Checklist by Chintan Gurjar.pdf
Mindmap by Rohit Gautam
Mindmap by Cristian Cornea
Web Page Source Code Review
Web Page Code Review Tips
EXIF Geo Data Not Stripped
EXIF Geo Data Not Stripped
File Upload Bypass
File Upload Bypass
Find Origin IP
Find Origin
GraphQL
GraphQL
HTTP Desync Attack
HTTP_Desync
Host-Header Attack
Host-Header
HTML-Injection
HTML-Injection
IDOR
IDOR
JWT ATTACK
JWT
MFA Bypass
MFA Bypasses
2FA-Bypass
Misconfigurations
Default Credential And Admin Panel
OAuth
OAuth
Open Redirection
Find OpenRedirect Trick
Open Redirection Bypass
Parameter Pollution
Parameter Pollution In Social Sharing Buttons
Password Reset Functionality
MindMap
Password Reset Token Leakage
Account_Takeover_By_Password_Reset_Functionality
Rate Limit
Rate-Limit Bypass
Recon
Recon Workflow
Subdomain Enumeration
SQLi
SQL Injection.md
SSRF
SSRF
Blind SSRF
SSTI
SSTI
Sign Up Functionality
Sign Up Bugs
Sign Up MindMap
Sensitive Info Leaks
Github Recon Method
Github-Dorks
Github Dorks All
Google Dorks
Shodan CVE Dorks
Status Code Bypass
Status_Code_Bypass Tips
403 Bypass
Subdomain Takeover
Subdomain Takeover - Detail Method
Subdomain Takeover - Easy Method
Tabnabbing
Tabnabbing
WAF Bypasses
WAF Bypass Using Headers
Weak Password Policy
Weak Password Policy
XSS
XSS
Automated XSS
XXE
XXE Methods
Powered By GitBook
Account Takeover Methodology

Chaining Session Hijacking with XSS

1.I have added a session hijacking method in broken authentication and session management.
2.If you find that on target.
3.Try anyway to steal cookies on that target.
4.Here I am saying look for xss .
5.If you find xss you can steal the cookies of victim and using session hijacking you can takeover the account of victim.

No Rate Limit On Login With Weak Password Policy

So if you find that target have weak password policy, try to go for no rate limit attacks in poc shows by creating very weak password of your account.
​
(May or may not be accepted)

Password Reset Poisioning Leads To Token Theft

1.Go to password reset funtion.
2.Enter email and intercept the request.
3.Change host header to some other host i.e,
Host:target.com
Host:attacker.com
also try to add some headers without changing host like
X-Forwarded-Host: evil.com
Referrer: https://evil.com
4.Forward this if you find that in next request attacker.com means you managed to successfully steal the token. :)

Using Auth Bypass

Check out Auth Bypass method, there is a method for OTP bypass via response manipulation, this can leads to account takeovers.

Try For CSRF On

1.Change Password function.
2.Email change
3.Change Security Question

Token Leaks In Response

  • So there are multiple ways to do it but all are same.
  • So I will sharing my method that I have learnt here .
  • Endpoints:(Register,Forget Password)
  • Steps(For Registration):
1. For registeration intercept the signup request that contains the data you have entered.
2. Click on action -> do -> intercept the response to this request.
3. Click forward.
4. Check response if that contains any link, any token or OTP.
​
  • Steps (For password reset):
1. Intercept the forget password option.
2. Click on action -> do -> intercept the response to this request.
3. Click forward.
4. Check response if that contains any link,any token or OTP.

Reference:

  • Various Source From Google,Twitter,Medium

Author

Previous
HowToHunt.md
Next - Application Level DoS
Application Level DoS Methods
Last modified 4mo ago
Copy link
Outline
Chaining Session Hijacking with XSS
No Rate Limit On Login With Weak Password Policy
Password Reset Poisioning Leads To Token Theft
Using Auth Bypass
Try For CSRF On
Token Leaks In Response
Reference:
Author