The Nen-Book
LinkedinTwitterMediumGithubHTB
  • Whoami
  • Walkthroughs & Writeups
    • My CTF Methodology
    • Hack The Box Machines
      • Administrator
      • Escape two
      • Cicada
      • HTB Permx Machine(CVE-2023–4220 Chamilo LMS)
    • Intigriti 1337Up 2024
      • Intigriti 1337Up 2024-CTF OSINT Challenges
      • Intigriti 1337Up Live 2024-CTF Web Challenges
    • CyCTF Quals 2024
      • OSINT Challenges CyCTF Quals 2024
      • Old Friend OSINT Challenge CyCTF 2024 Quals Writeup
    • PicoCTF
      • PicoCTF 2024 Web Exploitation Challenges
      • PicoCTF 2024 General Skills Challenges
      • PicoCTF 2021 Web Exploitation Challenges Walkthrough
      • PicoCTF 2019 Web Exploitation Challenges
  • Web_AppSec
    • Pentesting_Checklist
    • Web_Recon
    • SQli
    • ATO
    • Backend_Technology_Tricks
    • XSS
    • SSRF
    • CSRF
    • XXE
    • SSTI
    • Insecure_Deserialization
    • Open_Redirects
    • Information_Disclosures
    • Rate_Limiting
    • Clickjacking
    • Broken Access Control & IDORS
    • Bash_Scripting
    • Authentication_Vulnerabilities
    • App_Logic_Errors
  • Network & AD Pentesting
  • Cloud_Security
  • APISec
  • Code_Review
  • Bug_Hunting
  • MITRE ATT&CK
Powered by GitBook
On this page
  • Register & Signup
  • 2FA
  • Login Pages
  • OAuth

Was this helpful?

Edit on GitHub
  1. Web_AppSec

Pentesting_Checklist

Register & Signup

  
1- http not https  
2- No confirmation code lead to make account with admin email  
3- Confirmation link can be used multiple times to access account  
4- If OTP is send check rate limit  
5- Intercept the request and check if OTP is leaked in response  
6- try to create account , don't confirm it , go to settings and enable  
two factor authentication 2fa => pre-account takeover  
7- try to create account , don't confirm it , try to tie it with google or facebook , lead to pre-account takeover  
8- 0-auth senario  
- attacker creates account with [victim@gmail.com](mailto:victim@gmail.com) , can't verify it  
- victim registers account but with google 0-auth  
- now attacker account has been verified (verification bypass)  
  
9- bypass verification  
- create accont with [victim@gmail.com](mailto:victim@gmail.com) , you can't verify it  
- login and visit settings  
- change account with [hacker@gmail.com](mailto:hacker@gmail.com) => click on the link on your inbox  
- observe [victim@gmail.com](mailto:victim@gmail.com) has been verified successfully  
10- Delete account without password Confirmation  
11- xss via username , name as username='"><u>ahmedelhawary  
or "><svg/onload​=confirm(document.cookie)>"@x.y  
or [ahmed@gmail.com](mailto:ahmed@gmail.com)'\"><svg/onload​=confirm(1)>  
or ">\<img src=[[https://lnkd.in/eqyaDP5b](https://lnkd.in/eqyaDP5b)

"

2FA

  1. check 000000 - 123456

  2. check null

  3. reuse previous OTP (used one )

  4. reuse code of another account (valid)

  5. No rate limit on 2FA =>>

  6. check if exposed code in response

  7. bypass 2FA by reset password link

    1. enable 2fa

    2. - logout

    3. reset password => then click on the link

    4. if you got into directly then vulnerability

  8. bypass it by 0-auth google => 2fa 1. login 2. enable 2fa 3. login with google => if you got into directly then (vulnerability)

  9. No rate limit on sending 2FA

  10. response manipulation=>

    1. 403 Forbidden => 200 OK

    2. false => true

    3. 0 => 1

    4. failed => successful

  11. bypass 2fa by the next step

1- check 000000 - 123456  
2- check null  
3- reuse previous OTP (used one )  
4- reuse code of another account (valid)  
5- No rate limit on 2FA =>>  
6- check if exposed code in response  
7- bypass it by reset password link  
- enable 2fa  
- logout  
- reset password => then click on the link  
- if you got into directly then vulnerability  
  
8- bypass it by 0-auth google => 2fa  
1- login  
2- enable 2fa  
3- login with google => if you got into directly then (vulnerability)  
  
9- No rate limit on sending 2FA  
10- response manipulation => 403 Forbidden => 200 OK  
false => true  
0 => 1  
failed => successful  
11- bypass 2fa by the next step  
  
12- enable 2fa without email verification lead to pre-account takeover  
13- enabling 2fa does not end another sessions  
change password
  1. enable 2fa without email verification lead to pre-account takeover

  2. enabling 2fa does not end another sessions

  3. change password

Login Pages

  1. login over http not https ( insecure data transfer )

  2. no rate limit over password

  3. try default credentials (test:test) (admin:admin) (admin:password) (kali:kali) (admin:123)

  4. (admin:default) (root:root) (root:toor) (admin:kali) (kali:root) (admin:123456789)

  5. try to inject sql injection in username as admin' or 1=1;-- -

  6. try to make response manipulation to bypass login page

  7. use the request and send it to sqlmap to test if there is sql injection or not

  8. try to inject xss payloads in username as <svg/onload​=confirm()>

  9. try to inject template injection inside username as {{9*9}} and if printed 81 then vulnerable to template injection

  10. view source code of the page from CTRL+U to see if leaked credentials

1- login over http not https ( insecure data transfer )  
  
2- no rate limit over password  
  
3- try default credentials (test:test) (admin:admin) (admin:password) (kali:kali) (admin:123)  
(admin:default) (root:root) (root:toor) (admin:kali) (kali:root) (admin:123456789)  
  
4- try to inject sql injection in username as admin' or 1=1;-- -  
  
5- try to make response manipulation to bypass login page  
  
6- use the request and send it to sqlmap to test if there is sql injection or not  
  
7- try to inject xss payloads in username as <svg/onload​=confirm()>  
  
8- try to inject template injection inside username as {{9*9}} and if printed 81 then vulnerable to template injection  
  
9- view source code of the page from CTRL+U to see if leaked credentials

OAuth

OAuth Misconfig Leading to Pre-Account Takeover

Steps to Reproduce (POC):

  1. The attacker creates a new account using the victim’s email address (e.g., test@gmail.com).

    • No email verification is required, allowing the attacker to proceed.

  2. The victim logs using the “Sign in with Google” option, selecting the same email (test@gmail.com).

    • Both the attacker and victim now have access to the same account.

  3. The attacker monitors the shared account and gains access to all updates and data added by the victim (e.g., purchases, saved data).

  4. The attacker adds their own email address as a secondary email and sets it as the primary email in account settings.

  5. The attacker deletes the original email (test@gmail.com) from the account.

    • The system prompts for a new email; the attacker enters a random email and completes the process.

  6. Outcome: The victim is permanently locked out of their account. If they attempt to log in using Google, a new account is created instead.

PreviousWeb_AppSecNextWeb_Recon

Last updated 8 days ago

Was this helpful?

The attacker disconnects the Google authentication from the account by navigating to and selecting “Disconnect” under Google Settings.

https://www.target.com/Settings-cpf