Account Takeover using Inspect element

Jeyabalaji
2 min readMay 17, 2023

--

Using Browser Developer tools I took account takeover.

Here we have Forgot page. In that either we can give Admission number or Mobile to reset the password. I gave Admission number and submit.

After that “Reg Mobile No” input field came. Here we want to give mobile number and Click Get OTP, then Submit OTP field will display. Here I opened Inspector and check whether if can access other input field by changing in code. In this application the set as “display:none”.

So I removed wherever none is there. I got Ever field. So I gave random number, OTP and set new password for that user and click submit

So I removed wherever none is there. I got Ever field. So I gave random number, OTP and set new password for that user and click submit

I capture the request and saw the response but it showing registration mobile number not matched

Now we want know the mobile number to change password. I tried to remove the mobile number and send the request.

Successfully password updated. Using this request I can change anyone's password

--

--

Jeyabalaji
Jeyabalaji

Responses (2)