My Hunting Approach on Login

Email Verification bypass

1) Create a Account
2) Intercept the request using burp suite
3) Now intercept the response of given HTTP REQUEST below
4) Change the field "confirmed":false to true
5) Even you can bypass Accept term condition by changing the field "agreement_accepted":false to true
6) Forward the response and go to profile

Proof of Concept

Via POST Request header: 

First Capture the Forgot Password Post Request "Email Send wali" then send Request to Intruder: Sniper Mode then set to Payload Posision: Any-Header=0.$5$ then set to Payload: Payload set: 1 Payload type: Numbers Type: Sequential From: 1 To: 100 Step: 1 then click Start Attack
See Got 204 Response in All Response It means 50 Requests Hit the Server 
lets Check Emails
-----------------
Via email parameter:

1) Click on email sending feature(for eg: forgot password)
2) Enter the email and intercept that request.
3) Send to the intruder and select ‘your email’ parameter as an injection point!
4) Paste your email in the payload list 100 times.
5) Start an attack and you will be receiving 100 emails.
-----------
Via X-Forwarded-For: 127.0.0.1

1) Visit https://www.website.comm/
1) Goto email section
1) Enter victims email address
1) Fire-up burp-suite and intercept the request
1) Now Continue Sent request , If rate limit reached and blocked you then add X-Forwarded-For:127.0.0.1 header. This will easily reset rate limit. You can change IP address to 127.0.0.2 ,3,4,5,6 every time website blocked you
-----------
Via null bite in after email:

1) Simply add %00 on the end of the email and resend even more password reset emails: =email@here.com%00

Captcha bypasses tips:
- Try to change request method
- Remove the captcha param from the request
- leave param empty
- Fill in random value
-----------------
Proof of Concept 1: 
1) Go to https://www.coinbase.com/signup
2) Fill the input field and Validate the captcha.
3) Trun on Brurp submit form and capture the request.
4) Remove the g-recaptcha-response( response value) and foreword it.
-----------------
Proof of Concept 2:
1) https://www.website.com/login
2) Fill the input field and Validate the captcha.
3) Trun on Brurp submit form and capture the request.
4) Remove the recaptcha-response( response value with Header) and foreword it.
-----------------
Proof of Concept 3:
1) Create a new request by entering right captcha value.
2) Intercept the request in a proxy tool.
3) Now change the method from POST to PUT and right submit the request.
4) Repeat the request for any number of times and observe that every time instead of checking for a new captcha value, the old value or ANY VALUE from captcha is accepted.
-----------------
Proof of Concept 4:
1)https://www.website.com/signup
2)Fill the input field and Validate the captcha.
3)Trun on Brurp submit form and capture the request.
4)Remove the g-recaptcha-response( response value) and foreword it.
-----------------
Proof of Concept 5:
1-Enter your email in the forgot password.
2-complete captcha
3-Capture the request in the proxy.
4-delete captcha parameter from request.
5-check response

OTP Verification bypass

Proof of Concept 1:
1-Visit https://website.com/login and open proxy inspector 
2-Type in a OTP number (here, I used a random number, 0787765562)
3-Type in the otpKey in the network response into the OTP prompt field on the website
4-The OTP prompt field has been bypassed

Username/Email Enumeration to Non-Brute Force

Proof of Concept

1. Go to password reset/login/register or any other area that allows writing username or email address input

2. Write an existing username/email address with wrong password to observe error message

3. Write a non-existing username/email address to observe error message

4. See if error message leaks the information of the existence of username/email addresses

Mail Server Misconfiguration to No Spoofing Protection on Email Domain and Email Spoofing to Inbox

Proof of Concept

1) Go to your target company 
and collect all the possible emails of that company.
2) Now check the SPF and DMARC record of all the emails : https://mxtoolbox.com
3) if SPF record not set for the particular email
and Missing of DMARC protocol for the particular email
4) Now if you get an email (xyz@company.com), then go for its exploitation
5) Visit https://emkei.cz/ in order to exploit the issue
6) Visit https://emkei.cz/ in order to exploit the issue
8) 7. In From-email add the company’s email and in To add your own email 
and in Subject you can add anything (like Hacking You, Bounty Time etc.
9) Check your inbox and you get the email from that company which was sent by youg

PreviousMy Nuclei templates NextPage

Last updated 11 months ago