search

Reset/Forgotten Password Bypass

The following techniques recompilation was taken from https://anugrahsr.github.io/posts/10-Password-reset-flaws/arrow-up-right

hashtag
Password Reset Token Leak Via Referrer

The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed

hashtag
Exploitation

  • Request password reset to your email address

  • Click on the password reset link

  • Dont change password

  • Click any 3rd party websites(eg: Facebook, twitter)

  • Intercept the request in burpsuite proxy

  • Check if the referer header is leaking password reset token.

hashtag
Impact

It allows the person who has control of particular site to change the user’s password (CSRF attack), because this person knows reset password token of the user.

hashtag
Reference:

  • https://hackerone.com/reports/342693

  • https://hackerone.com/reports/272379

  • https://hackerone.com/reports/737042

  • https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a

  • https://medium.com/@shahjerry33/password-reset-token-leak-via-referrer-2e622500c2c1

hashtag
Account Takeover Through Password Reset Poisoning

If you find a host header attack and it’s out of scope, try to find the password reset button!

hashtag
Exploitation

  • Intercept the password reset request in Burpsuite

  • Add following header or edit header in burpsuite(try one by one)

  • Check if the link to change the password inside the email is pointing to attacker.com

hashtag
Patch

Use $_SERVER['SERVER_NAME'] rather than $_SERVER['HTTP_HOST']

hashtag
Impact

The victim will receive the malicious link in their email, and, when clicked, will leak the user’s password reset link / token to the attacker, leading to full account takeover.

hashtag
Reference:

  • https://hackerone.com/reports/226659

  • https://hackerone.com/reports/167631

  • https://www.acunetix.com/blog/articles/password-reset-poisoning/

  • https://pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerability/

  • https://medium.com/@swapmaurya20/password-reset-poisoning-leading-to-account-takeover-f178f5f1de87

hashtag
Account Takeover: Password Reset With Manipualating Email Parameter

hashtag
Exploitation

  • Add attacker email as second parameter using &

  • Add attacker email as second parameter using %20

  • Add attacker email as second parameter using |

  • Add attacker email as second parameter using cc

  • Add attacker email as second parameter using bcc

  • Add attacker email as second parameter using ,

  • Add attacker email as second parameter in json array

hashtag
Reference

  • https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be

  • https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/

  • https://twitter.com/HusseiN98D/status/1254888748216655872

hashtag
Full Account Takeover via Changing Email And Password of any User through API Parameters

hashtag
Exploitation

  • Attacker have to login with their account and Go to the Change password function

  • Start the Burp Suite and Intercept the request

  • After intercepting the request sent it to repeater and modify parameters Email and Password

hashtag
Reference

  • https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240

hashtag
No Rate Limiting: Email Bombing

hashtag
Exploitation

  • Start the Burp Suite and Intercept the password reset request

  • Send to intruder

  • Use null payload

hashtag
Reference

  • https://hackerone.com/reports/280534

  • https://hackerone.com/reports/794395

hashtag
Find out How Password Reset Token is Generated

Figure out the pattern of password reset token

If it

  • Generated based Timestamp

  • Generated based on the UserID

  • Generated based on email of User

  • Generated based on Firstname and Lastname

  • Generated based on Date of Birth

  • Generated based on Cryptography

Use Burp Sequencer to find the randomness or predictability of tokens.

hashtag
Response manipulation: Replace Bad Response With Good One

Look for Request and Response like these

Change Response

hashtag
Reference

  • https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3

hashtag
Using Expired Token

  • Check if the expired token can be reused

hashtag
Brute Force Password Rest token

Try to bruteforce the reset token using Burpsuite

  • Use IP-Rotator on burpsuite to bypass IP based ratelimit.

hashtag
Reference

  • https://twitter.com/HusseiN98D/status/1254888748216655872/photo/1

hashtag
Try Using Your Token

  • Try adding your password reset token with victim’s Account

hashtag
Reference

  • https://twitter.com/HusseiN98D/status/1254888748216655872/photo/1

上一页Second Order Injection - SQLMap下一页Regular expression Denial of Service - ReDoS

最后更新于

这有帮助吗?