Account Take Over without user Interaction
Hello hunters, Hope you doing good. I want to share you something about my finding, Which went DUPLICATE. Lets dive into the topic. Assume the program name Redacted.com . Attack Vector : Application contains forget password functionality. Enter the victim email-id, capture the request and response. 2. In response I observed a token transmission. Got clarity after checking the inbox. That the token belongs to Reset password.