BIPI
BIPI

Account Takeover Recipes: Password Reset, Email Verification, Session Fixation

Cybersecurity

Account takeover bounties cluster around three workflows that every app has and few get right. This piece breaks down the reset, verify, and fixation patterns that lead to full ATO, with the host header tricks and race conditions that hunters reuse across targets.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 8, 2023 · 10 min read

#ato#bug-bounty#password-reset#session#authentication

Three Workflows, Many Bugs

Password reset, email change, and session creation are universal. Each has a long history of subtle bugs that produce full ATO. Learn the patterns and you carry them target to target.

Host Header Poisoning in Reset Links

Many apps build reset URLs from the Host header. Change it to your domain and the victim receives a link pointing at attacker.com. When they click, the token leaks.

  • Try Host: attacker.com and X-Forwarded-Host: attacker.com
  • Try X-Forwarded-Host with a comma to confuse parsers
  • Try double Host headers, some stacks pick the second
  • Try absolute-URI request lines that override Host

Token Patterns Worth Probing

  • Tokens scoped to email rather than user_id
  • Tokens that never expire or expire on a long window
  • Tokens reused across reset and email change
  • Tokens that survive password change

Email Verification Bypass

If signup lets you set an unverified email and then change it to a victim address through a different endpoint, you can skip verification. Try racing the verify step with a profile update.

Pre-Account Takeover

Register the victim's email before they do. Some apps merge social login with the existing unverified account, handing you their session after they sign in with Google.

Session Fixation

If the session ID does not rotate on login, you can plant a known session in the victim's browser and ride it after they authenticate. Look for cookies set before login that persist.

Race Conditions in Reset

Fire two reset requests in parallel with Turbo Intruder's single-packet attack. Some backends create two tokens with the same email, both valid. Combine with email change to chain into ATO.

OAuth Account Linking Bugs

When social login links to an existing email without verification, you can register a Google account with the victim's email and inherit their app account. CVE histories at major SaaS show this repeatedly.

JWT Issues That Lead to ATO

  • alg: none accepted by the verifier
  • HS256 to RS256 confusion with the public key as HMAC secret
  • Tokens signed by a key the attacker controls via kid path traversal
  • Tokens with a user_id claim that the backend trusts without DB lookup

Tooling That Helps

  • Burp Collaborator for reset link interception via host header
  • Turbo Intruder for race conditions
  • jwt_tool for signature attacks
  • Autorize for session and cookie diffing
ATO chains are won by the hunter who tests the boring flows again. Reset, verify, link, login. Every time.

Reporting Tips

Demonstrate ATO with a clean two-user video. Show the token interception, the email landing on attacker domain, and the successful login as the victim. Triage moves faster when impact is visible.

Closing

The reset, verify, and session flows are bug bounty staples because they are everywhere and rarely tested under adversarial conditions. Test them deeply on every target.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.