Account Takeover
Account Takeover
Scenario:
You are a penetration tester hired to assess the security of craw.in. During your initial reconnaissance, you've identified a few potential areas of interest. Focus on exploiting vulnerabilities that might lead to account takeover. Assume that all other attack vectors are out of scope.
Question 1.
The login page appears to implement a weak brute-force protection. What common client-side technique could you use to potentially bypass it ?
Question 2.
A user reports suspicious password reset emails. Which vulnerability could be present if the reset link doesn't change even after multiple requests ?
Question 3.
During password reset, the email contains a predictable reset code. What type of vulnerability is this ?
Question 4.
You notice the website allows you to change your email address. After changing it, the old email address does not receive notification of the email update. what is the name of this vulnerability?
Question 5.
Examining the "Forgot Password" functionality, you see the server responds with a message that states "If an account exists with that email, a reset link will be sent." What type of information disclosure does this represent?
Question 6.
You successfully changed your email to [email protected]. However, when you login, you're still logged in as the original user. What vulnerability may exist in the email change process?
Question 7.
The website's cookies are missing the "HttpOnly" flag. What type of cross-site scripting can be used to steal the current logged-in user session?
Question 8.
When a user updates their profile, including sensitive information like phone number, the request is sent via HTTP. What type of vulnerability is this classified as?
Question 9.
The application allows users to authenticate with third-party services. In the OAuth flow, the redirect URI isn't properly validated. Which vulnerability could arise from this misconfiguration?
Question 10.
You discover that the application allows you to use HTML tags in your profile name. If you inject <script>alert('XSS')</script> and view another user's profile, what type of vulnerability are you exploiting?
Question 11.
The API endpoint for changing a user's password accepts a "user_id" parameter. By changing this parameter, you are able to change another user's password. This is an example of what?
Question 12.
The website's registration process has no rate limiting. What type of attack could this enable?
Question 13.
The application uses a CAPTCHA. After inspecting the HTML, you realize the response field of the CAPTCHA is directly passed to the backend without validation. What is this considered as?