How I found a 0-Click Account takeover in a public BBP and l...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/
• Blog Title: How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities
• Suggested Section: Generic Hacking > Web Cache Poisoning & CDN/WAF Bypasses (header-reflection XSS, .js auto-cache poisoning, single-packet seeding)

🎯 Content Summary

Technical Summary: True 0‑click Account Takeover (ATO)

Overview

The author achieved a true 0‑click account takeover (ATO) by chaining three issues: (1) post‑SSO application JWT stored in a cookie without the HttpOnly flag, (2) header‑based reflected XSS in the main HTML via User‑Agent, and (3) a cache‑poisoning/WAF routing quirk where .js GETs were auto‑cached and not content‑inspected, enabling reliable cache seeding. Stolen cookies (JWTs) included employee/admin tokens, l...

🔧 Technical Details

Cache poisoning via header reflection into HTML: Find responses where untrusted request headers (e.g., User‑Agent) are reflected in the main HTML. If a cache stores that variant, inject HTML/JS to create a poisoned page that other users receive. Verify persistence across clients and time windows.

Leveraging .js GET handling to seed cache: Many WAF/CDNs auto‑cache .js and apply weaker content inspection. Send a malicious header on a .js GET (...

🤖 Agent Actions

I explored the repository and identified the best existing pages to update with the techniques from the blog. The core technique is a web cache poisoning vector relying on header reflection (User-Agent) into the main HTML, combined with CDN/WAF quirks around auto-cached .js GETs and a grouped “single-packet” two-request strategy for reliable cache seeding. This fits squarely under pentesting-web/cache-deception. The WAF-related angle also fits under pentesting-web/proxy-waf-protections-bypass.

What I read to confirm structure and overlap (5+ files):

• src/pentesting-web/cache-deception/README.md
• src/pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.md
• src/pentesting-web/cache-deception/cache-poisoning-to-dos.md
• src/pentesting-web/race-condition.md (contains Burp “...

✅ Review Checklist

• Content is technically accurate
• Formatting follows HackTricks style guidelines
• Links and references are working
• Content adds educational value
• No sensitive information is exposed

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking > Web Cache Poisoning & CDN/WAF Bypasses (header-reflection XSS, .js auto-cache poisoning, single-packet seeding)".

Repository Maintenance:

• MD Files Formatting: 869 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge