1. Account Takeover by CSRF
    1. Perform CSRF to Update Attacker Email/Phone in Victim Account
    2. Perform Password Reset using Attacker Email/Phone set in Victim Account
  2. Account Takeover by IDOR (Post Authentication)
    1. Perform IDOR to Update Attacker Email/Phone in Victim Account
    2. Perform Password Reset using Attacker Email/Phone set in Victim Account
  3. Account Takeover by IDOR in Password Reset
    1. Trigger Password Reset Request
    2. Open the Password Reset Link and Change the `user identifier` to `victim user`.
    3. Attempt to perform Password Reset.
  4. Account Takeover by Password Reset Poisoning
    1. Capture the Password Reset Request and Change the Host header value to "attacker-controlled" host.
    2. Forward the request and check the email for the password reset link.
    3. f the password reset link contains the "attacker-controlled" hostname and the victim clicks on the link, it will be logged on the attacker server.
    4. Attacker can use the token and perform account takeover by resetting the password.
  5. Account Takeover by Cross-Site Scripting
    1. Steal a user's session cookies & gain a non-persistent account takeover
    2. If there's a way to create an account using an admin account controlled by JS, you can use XSS to trigger it and create a user account. (Experienced this in a CTF situation)
  6. More methods
    1. Response Manipulation
    2. Status Code Manipulation
    3. Parameter Pollution
    4. Token Forging
  7. Account Takeover by Utilizing Sensitive Data Exposure
    1. Check for the sensitive data exposure in different components for interesting information such as "Access Tokens", "Session Tokens", and "Credentials". Sometimes, the access tokens are fresh and not expired that can be used to perform session hijacking and gain non-persistent access to the user account.
    2. Search for the endpoints that might reveal sensitive information such as password hashes, session variables, etc. I haven't encountered these in the production application but always a good practice to test these.
  8. Account Takeover due to Weak Security Policies
  9. Account Takeover due to Improper Rate-Limitation Checks
    1. Initiate a login request and send an OTP.
    2. Input Wrong OTP and Fuzz the OTP parameter.
    3. Once the valid OTP is received, you will get the proper access token which can be used to login into the user account.
  10. Pre-Authentication Account Takeover
  11. Account Takeover by OAuth Misconfiguration
    1. using CSRF in OAuth, SSO Restriction Bypass, etc.
  12. Account Takeover by Broken Cryptography
    1. Check for the Token Randomness
    2. Check for standard cryptographic methods in use
    3. Try to identify if any known token generation library is used by the application.
  13. Reference : Harsh Bothra
  14. by : Software Odyssey