Day 24 comes with a small contribution related to account takeovers and API keys.
Account Takeover through Host header Injection by adding an extra Host
From Rajesh Ranjan. So I was checking twitter and found this amazing writeup, in which how the researcher was able to steal the password reset token by adding an extra host in the Request Body. We need to have Ngrok running on our computer. Check out Ngrok here.
Don’t know what to do with random API Keys?
From Sam (CoffeeJunkie). This was helpful couple months ago. I was testing a public program in BugCrowd, and looking at the public repositories in GitHub of my target, I found and interesting couple keys related to S3 buckets. I didn’t know what to do, everything seemed like a death end as the noob that I am, then, checking around the internet, somebody created an amazing repository related to API Keys, and how to know if they’re valid and they’re working, so, I found Key Hacks! Unfortunately the AWS keys that I found on github didn’t work, but the lesson earned was valid.