1.0Sécuriser votre sitehttps://www.searchevolution.com/securityGermainhttps://www.searchevolution.com/security/author/germain/rich600338<blockquote class="wp-embedded-content" data-secret="EPf3FLPEUT"><a href="https://www.searchevolution.com/security/2022/11/07/account-takeover/">Account takeover</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://www.searchevolution.com/security/2022/11/07/account-takeover/embed/#?secret=EPf3FLPEUT" width="600" height="338" title="« Account takeover » — Sécuriser votre site" data-secret="EPf3FLPEUT" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script type="text/javascript"> /* <![CDATA[ */ /*! This file is auto-generated */ !function(d,l){"use strict";l.querySelector&&d.addEventListener&&"undefined"!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),o=l.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),c=new RegExp("^https?:$","i"),i=0;i<o.length;i++)o[i].style.display="none";for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute("style"),"height"===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):"link"===t.message&&(r=new URL(s.getAttribute("src")),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener("message",d.wp.receiveEmbedMessage,!1),l.addEventListener("DOMContentLoaded",function(){for(var e,t,s=l.querySelectorAll("iframe.wp-embedded-content"),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute("data-secret"))||(t=Math.random().toString(36).substring(2,12),e.src+="#?secret="+t,e.setAttribute("data-secret",t)),e.contentWindow.postMessage({message:"ready",secret:t},"*")},!1)))}(window,document); /* ]]> */ </script> Voici quelques techniques qui permettent de vérifier si la sécurité pour la l’authentification sur votre service est adéquate Account Takeover via IDOR in Password Reset Account Takeover by Password Reset Poisoning Acoount Takeover via IDOR (Post Authentication) Account Takeover via CSRF Account Takeover by Broken Cryptography Account Takeover by OAuth Misconfiguration Pre-Authentication Account Takeover Account Takeover due to Improper Rate-Limit/Anti-Automation Checks Account Takeover by XSS Account Takeover by utilizing Sensitive Data Exposure Account Takeover due to Weak Security Policies Autres techniques pour prendre possession d’un compte Response Body Manipulation Status Code Manipulation Parameter Pollution Mass Assignment Token Forging Autres resources