Reset/Forgotten Password Bypass
Last updated
The following techniques recompilation was taken from https://anugrahsr.github.io/posts/10-Password-reset-flaws/
Password Reset Token Leak Via Referrer
The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed
Exploitation
Request password reset to your email address
Click on the password reset link
Dont change password
Click any 3rd party websites(eg: Facebook, twitter)
Intercept the request in burpsuite proxy
Check if the referer header is leaking password reset token.
Impact
It allows the person who has control of particular site to change the user’s password (CSRF attack), because this person knows reset password token of the user.
Reference:
Account Takeover Through Password Reset Poisoning
If you find a host header attack and it’s out of scope, try to find the password reset button!
Exploitation
Intercept the password reset request in Burpsuite
Add following header or edit header in burpsuite(try one by one)
Check if the link to change the password inside the email is pointing to attacker.com
Patch
Use $_SERVER['SERVER_NAME'] rather than $_SERVER['HTTP_HOST']
Impact
The victim will receive the malicious link in their email, and, when clicked, will leak the user’s password reset link / token to the attacker, leading to full account takeover.
Reference:
Account Takeover: Password Reset With Manipualating Email Parameter
Exploitation
Add attacker email as second parameter using &
Add attacker email as second parameter using %20
Add attacker email as second parameter using |
Add attacker email as second parameter using cc
Add attacker email as second parameter using bcc
Add attacker email as second parameter using ,
Add attacker email as second parameter in json array
Reference
Full Account Takeover via Changing Email And Password of any User through API Parameters
Exploitation
Attacker have to login with their account and Go to the Change password function
Start the Burp Suite and Intercept the request
After intercepting the request sent it to repeater and modify parameters Email and Password
Reference
No Rate Limiting: Email Bombing
Exploitation
Start the Burp Suite and Intercept the password reset request
Send to intruder
Use null payload
Reference
Find out How Password Reset Token is Generated
Figure out the pattern of password reset token
If it
Generated based Timestamp
Generated based on the UserID
Generated based on email of User
Generated based on Firstname and Lastname
Generated based on Date of Birth
Generated based on Cryptography
Use Burp Sequencer to find the randomness or predictability of tokens.
Response manipulation: Replace Bad Response With Good One
Look for Request and Response like these
Change Response
Reference
Using Expired Token
Check if the expired token can be reused
Brute Force Password Rest token
Try to bruteforce the reset token using Burpsuite
Use IP-Rotator on burpsuite to bypass IP based ratelimit.
Reference
Try Using Your Token
Try adding your password reset token with victim’s Account
Reference
Session Invalidation in Logout/Password Reset
When a user logs out or reset his password, the current session should be invalidated. Therefore, grab the cookies while the user is logged in, log out, and check if the cookies are still valid. Repeat the process changing the password instead of logging out.
Reset Token expiration Time
The reset tokens must have an expiration time, after it the token shouldn't be valid to change the password of a user.
Extra Checks
Use username@burp_collab.net and analyze the callback
User carbon copy email=victim@mail.com%0a%0dcc:hacker@mail.com
Long password (>200) leads to DoS
Append second email param and value
