# Account Takeover
ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
## **Authorization Issue**
Try to change the email of an account and **check how the confirmation works**. If **weak**, try to change the email to the victim one and confirm it.
## **Unicode Normalization Issue**
1. victim account `victim@gmail.com`
2. create an account using Unicode\
example: `viΔtim@gmail.com`
{% content-ref url="/pages/IdIZ0X9yKKwm1kIjY5k0" %}
[Unicode Normalization](/dashboard/pentesting-web/unicode-injection/unicode-normalization.md)
{% endcontent-ref %}
## **Reusing Reset Token**
If target allows you to **reuse the reset link** then **hunt** for more reset link via `gau` ,`wayback` or `scan.io`
## **Pre Account Takeover**
1. Signup using the victims email in the platform and set a password (try to confirm if possible, but lacking access to the victim emails might be impossible)
2. Wait till the victim signs up using oauth and confirms the account
3. Hopefully, the regular signup will be confirmed and you will be able to enter in the victims account
## **CORS Misconfiguration to Account Takeover**
If the page contains **CORS missconfigurations** you might be able to **steal sensitive information** from the user to **takeover his account** or make him change auth information for the same purpose:
{% content-ref url="/pages/4M6u4kNoqzT15SkItfDQ" %}
[CORS - Misconfigurations & Bypass](/dashboard/pentesting-web/cors-bypass.md)
{% endcontent-ref %}
## **Csrf to Account Takeover**
If the page is vulnerable to CSRF you might be able to make the **user modify his password**, email or authentication so you can then access it:
{% content-ref url="/pages/Fh6q0INva5LsvAVTSqpM" %}
[CSRF (Cross Site Request Forgery)](/dashboard/pentesting-web/csrf-cross-site-request-forgery.md)
{% endcontent-ref %}
## **XSS to Account Takeover**
If you find a XSS in application you might be able to stal cookies, local storage, or info from the web page that could allow you takeover the account:
{% content-ref url="/pages/3TtZSWygZ6FBOx3HH8a1" %}
[XSS (Cross Site Scripting)](/dashboard/pentesting-web/xss-cross-site-scripting.md)
{% endcontent-ref %}
## **Same Origin + Cookies**
If you find a limited XSS or a subdomain take over, you could play with the cookies (fixating them for example) to try to compromise the victim account:
{% content-ref url="/pages/nuq8VYEnc0378CD4qgS7" %}
[Cookies Hacking](/dashboard/pentesting-web/hacking-with-cookies.md)
{% endcontent-ref %}
## **Attacking Password Reset Mechanism**
{% content-ref url="/pages/JCCgmwVg4PQaLaxuSpOb" %}
[Reset/Forgotten Password Bypass](/dashboard/pentesting-web/reset-password.md)
{% endcontent-ref %}
## **Response Manipulation**
If the authentication response could be **reduced to a simple boolean just try to change false to true** and see if you get any access.
## OAuth to Account takeover
{% content-ref url="/pages/KFXKTxy8X82mO562oyvY" %}
[OAuth to Account takeover](/dashboard/pentesting-web/oauth-to-account-takeover.md)
{% endcontent-ref %}
## References
*
ποΈ HackTricks LIVE Twitch Wednesdays 5.30pm (UTC) ποΈ - π₯ Youtube π₯
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**π¬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**π¦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://breached.gitbook.io/dashboard/pentesting-web/account-takeover.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.