Pentesting_Checklist
Register & Signup
1- http not https
2- No confirmation code lead to make account with admin email
3- Confirmation link can be used multiple times to access account
4- If OTP is send check rate limit
5- Intercept the request and check if OTP is leaked in response
6- try to create account , don't confirm it , go to settings and enable
two factor authentication 2fa => pre-account takeover
7- try to create account , don't confirm it , try to tie it with google or facebook , lead to pre-account takeover
8- 0-auth senario
- attacker creates account with [victim@gmail.com](mailto:victim@gmail.com) , can't verify it
- victim registers account but with google 0-auth
- now attacker account has been verified (verification bypass)
9- bypass verification
- create accont with [victim@gmail.com](mailto:victim@gmail.com) , you can't verify it
- login and visit settings
- change account with [hacker@gmail.com](mailto:hacker@gmail.com) => click on the link on your inbox
- observe [victim@gmail.com](mailto:victim@gmail.com) has been verified successfully
10- Delete account without password Confirmation
11- xss via username , name as username='"><u>ahmedelhawary
or "><svg/onload=confirm(document.cookie)>"@x.y
or [ahmed@gmail.com](mailto:ahmed@gmail.com)'\"><svg/onload=confirm(1)>
or ">\<img src=[[https://lnkd.in/eqyaDP5b](https://lnkd.in/eqyaDP5b)
"
2FA
check 000000 - 123456
check null
reuse previous OTP (used one )
reuse code of another account (valid)
No rate limit on 2FA =>>
check if exposed code in response
bypass 2FA by reset password link
enable 2fa
- logout
reset password => then click on the link
if you got into directly then vulnerability
bypass it by 0-auth google => 2fa 1. login 2. enable 2fa 3. login with google => if you got into directly then (vulnerability)
No rate limit on sending 2FA
response manipulation=>
403 Forbidden => 200 OK
false => true
0 => 1
failed => successful
bypass 2fa by the next step
1- check 000000 - 123456
2- check null
3- reuse previous OTP (used one )
4- reuse code of another account (valid)
5- No rate limit on 2FA =>>
6- check if exposed code in response
7- bypass it by reset password link
- enable 2fa
- logout
- reset password => then click on the link
- if you got into directly then vulnerability
8- bypass it by 0-auth google => 2fa
1- login
2- enable 2fa
3- login with google => if you got into directly then (vulnerability)
9- No rate limit on sending 2FA
10- response manipulation => 403 Forbidden => 200 OK
false => true
0 => 1
failed => successful
11- bypass 2fa by the next step
12- enable 2fa without email verification lead to pre-account takeover
13- enabling 2fa does not end another sessions
change password
enable 2fa without email verification lead to pre-account takeover
enabling 2fa does not end another sessions
change password
Login Pages
login over http not https ( insecure data transfer )
no rate limit over password
try default credentials (test:test) (admin:admin) (admin:password) (kali:kali) (admin:123)
(admin:default) (root:root) (root:toor) (admin:kali) (kali:root) (admin:123456789)
try to inject sql injection in username as admin' or 1=1;-- -
try to make response manipulation to bypass login page
use the request and send it to sqlmap to test if there is sql injection or not
try to inject xss payloads in username as <svg/onload=confirm()>
try to inject template injection inside username as {{9*9}} and if printed 81 then vulnerable to template injection
view source code of the page from CTRL+U to see if leaked credentials
1- login over http not https ( insecure data transfer )
2- no rate limit over password
3- try default credentials (test:test) (admin:admin) (admin:password) (kali:kali) (admin:123)
(admin:default) (root:root) (root:toor) (admin:kali) (kali:root) (admin:123456789)
4- try to inject sql injection in username as admin' or 1=1;-- -
5- try to make response manipulation to bypass login page
6- use the request and send it to sqlmap to test if there is sql injection or not
7- try to inject xss payloads in username as <svg/onload=confirm()>
8- try to inject template injection inside username as {{9*9}} and if printed 81 then vulnerable to template injection
9- view source code of the page from CTRL+U to see if leaked credentials
OAuth
OAuth Misconfig Leading to Pre-Account Takeover
Steps to Reproduce (POC):
The attacker creates a new account using the victim’s email address (e.g., test@gmail.com).
No email verification is required, allowing the attacker to proceed.
The victim logs using the “Sign in with Google” option, selecting the same email (test@gmail.com).
Both the attacker and victim now have access to the same account.
The attacker monitors the shared account and gains access to all updates and data added by the victim (e.g., purchases, saved data).
The attacker adds their own email address as a secondary email and sets it as the primary email in account settings.
The attacker deletes the original email (test@gmail.com) from the account.
The attacker disconnects the Google authentication from the account by navigating to https://www.target.com/Settings-cpf and selecting “Disconnect” under Google Settings.
The system prompts for a new email; the attacker enters a random email and completes the process.
Outcome: The victim is permanently locked out of their account. If they attempt to log in using Google, a new account is created instead.
Last updated
Was this helpful?