- Account Takeover via IDOR in Password Reset
- Account Takeover by Password Reset Poisoning
- Account Takeover via IDOR (Post Authentication)
- Account Takeover via CSRF
- Account Takeover by Broken Cryptography
- Account Takeover by OAuth Misconfiguration
- Pre-Authentication Account Takeover
- Account Takeover due to Improper Rate-Limit/Anti-Automation Checks
- Account Takeover due to Weak Security Policies
- Account Takeover by utilizing Sensitive Data Exposure
- Account Takeover by XSS
-
Misc. Methods
- Response Body Manipulation
- Status Code Manipulation
- Parameter Pollution
- Mass Assignment
- Token Forging
- More Details on These Attack Vectors can be found at:
https://github.com/harsh-bothra/SecurityExplained/blob/main/resources/account-takeovers-methodology.md
- MindMap Created By:
Harsh Bothra
(Twitter: @harshbothra_)