2022-10-26 09:16:32 +00:00
# Reset/Forgotten Password Bypass
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Learn & practice GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
< summary > Support HackTricks< / summary >
2023-12-31 01:25:17 +00:00
2024-07-19 14:09:38 +00:00
* Check the [**subscription plans** ](https://github.com/sponsors/carlospolop )!
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 14:09:38 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-05-05 17:56:05 +00:00
< figure > < img src = "../.gitbook/assets/image (380).png" alt = "" > < figcaption > < / figcaption > < / figure >
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
Join [**HackenProof Discord** ](https://discord.com/invite/N3FrSbmwdy ) server to communicate with experienced hackers and bug bounty hunters!
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
2023-07-14 15:03:41 +00:00
2023-12-04 15:45:05 +00:00
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
2023-07-14 15:03:41 +00:00
2023-12-04 15:45:05 +00:00
**Join us on** [**Discord** ](https://discord.com/invite/N3FrSbmwdy ) and start collaborating with top hackers today!
2022-10-27 23:22:18 +00:00
2024-02-05 02:28:59 +00:00
## **Password Reset Token Leak Via Referrer**
2024-04-06 16:25:58 +00:00
* The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.
* **Impact**: Potential account takeover via Cross-Site Request Forgery (CSRF) attacks.
2024-06-13 09:58:58 +00:00
* **Exploitation**: To check if a password reset token is leaking in the referer header, **request a password reset** to your email address and **click the reset link** provided. **Do not change your password** immediately. Instead, **navigate to a third-party website** (like Facebook or Twitter) while **intercepting the requests using Burp Suite** . Inspect the requests to see if the **referer header contains the password reset token** , as this could expose sensitive information to third parties.
2024-04-06 16:25:58 +00:00
* **References**:
* [HackerOne Report 342693 ](https://hackerone.com/reports/342693 )
* [HackerOne Report 272379 ](https://hackerone.com/reports/272379 )
* [Password Reset Token Leak Article ](https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a )
2024-02-05 02:28:59 +00:00
## **Password Reset Poisoning**
2024-04-06 16:25:58 +00:00
* Attackers may manipulate the Host header during password reset requests to point the reset link to a malicious site.
* **Impact**: Leads to potential account takeover by leaking reset tokens to attackers.
* **Mitigation Steps**:
* Validate the Host header against a whitelist of allowed domains.
* Use secure, server-side methods to generate absolute URLs.
2024-06-13 09:58:58 +00:00
* **Patch**: Use `$_SERVER['SERVER_NAME']` to construct password reset URLs instead of `$_SERVER['HTTP_HOST']` .
2024-04-06 16:25:58 +00:00
* **References**:
* [Acunetix Article on Password Reset Poisoning ](https://www.acunetix.com/blog/articles/password-reset-poisoning/ )
2024-02-05 02:28:59 +00:00
## **Password Reset By Manipulating Email Parameter**
2024-04-06 16:25:58 +00:00
2024-06-13 09:58:58 +00:00
Attackers can manipulate the password reset request by adding additional email parameters to divert the reset link.
* Add attacker email as second parameter using &
```php
POST /resetPassword
[...]
email=victim@email.com& email=attacker@email.com
```
* Add attacker email as second parameter using %20
```php
POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com
```
* Add attacker email as second parameter using |
```php
POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com
```
* Add attacker email as second parameter using cc
```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
```
* Add attacker email as second parameter using bcc
```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
```
* Add attacker email as second parameter using ,
```php
POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"
```
* Add attacker email as second parameter in json array
```php
POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}
```
2024-04-06 16:25:58 +00:00
* **Mitigation Steps**:
* Properly parse and validate email parameters server-side.
* Use prepared statements or parameterized queries to prevent injection attacks.
* **References**:
2024-06-13 09:58:58 +00:00
* [https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be ](https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be )
* [https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/ ](https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/ )
* [https://twitter.com/HusseiN98D/status/1254888748216655872 ](https://twitter.com/HusseiN98D/status/1254888748216655872 )
2024-02-05 02:28:59 +00:00
## **Changing Email And Password of any User through API Parameters**
2024-04-06 16:25:58 +00:00
* Attackers can modify email and password parameters in API requests to change account credentials.
2024-06-13 09:58:58 +00:00
```php
POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})
```
2024-04-06 16:25:58 +00:00
* **Mitigation Steps**:
* Ensure strict parameter validation and authentication checks.
* Implement robust logging and monitoring to detect and respond to suspicious activities.
* **Reference**:
* [Full Account Takeover via API Parameter Manipulation ](https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240 )
2024-02-05 02:28:59 +00:00
## **No Rate Limiting: Email Bombing**
2024-04-06 16:25:58 +00:00
* Lack of rate limiting on password reset requests can lead to email bombing, overwhelming the user with reset emails.
* **Mitigation Steps**:
* Implement rate limiting based on IP address or user account.
* Use CAPTCHA challenges to prevent automated abuse.
* **References**:
* [HackerOne Report 280534 ](https://hackerone.com/reports/280534 )
2024-02-05 02:28:59 +00:00
## **Find out How Password Reset Token is Generated**
2024-04-06 16:25:58 +00:00
2024-06-13 09:58:58 +00:00
* Understanding the pattern or method behind token generation can lead to predicting or brute-forcing tokens. Some options:
* Based Timestamp
* Based on the UserID
* Based on email of User
* Based on Firstname and Lastname
* Based on Date of Birth
* Based on Cryptography
2024-04-06 16:25:58 +00:00
* **Mitigation Steps**:
* Use strong, cryptographic methods for token generation.
* Ensure sufficient randomness and length to prevent predictability.
* **Tools**: Use Burp Sequencer to analyze the randomness of tokens.
2024-02-05 02:28:59 +00:00
2024-06-13 09:58:58 +00:00
## **Guessable UUID**
* If UUIDs (version 1) are guessable or predictable, attackers may brute-force them to generate valid reset tokens. Check:
{% content-ref url="uuid-insecurities.md" %}
[uuid-insecurities.md ](uuid-insecurities.md )
{% endcontent-ref %}
2024-04-06 16:25:58 +00:00
* **Mitigation Steps**:
* Use GUID version 4 for randomness or implement additional security measures for other versions.
* **Tools**: Use [guidtool ](https://github.com/intruder-io/guidtool ) for analyzing and generating GUIDs.
2024-02-05 02:28:59 +00:00
## **Response Manipulation: Replace Bad Response With Good One**
2024-04-06 16:25:58 +00:00
* Manipulating HTTP responses to bypass error messages or restrictions.
* **Mitigation Steps**:
* Implement server-side checks to ensure response integrity.
* Use secure communication channels like HTTPS to prevent man-in-the-middle attacks.
* **Reference**:
* [Critical Bug in Live Bug Bounty Event ](https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3 )
2024-02-05 02:28:59 +00:00
## **Using Expired Token**
2024-02-06 03:10:38 +00:00
2024-04-06 16:25:58 +00:00
* Testing whether expired tokens can still be used for password reset.
* **Mitigation Steps**:
* Implement strict token expiration policies and validate token expiry server-side.
## **Brute Force Password Reset Token**
* Attempting to brute-force the reset token using tools like Burpsuite and IP-Rotator to bypass IP-based rate limits.
* **Mitigation Steps**:
* Implement robust rate-limiting and account lockout mechanisms.
* Monitor for suspicious activities indicative of brute-force attacks.
2024-02-05 02:28:59 +00:00
## **Try Using Your Token**
2024-04-06 16:25:58 +00:00
* Testing if an attacker's reset token can be used in conjunction with the victim's email.
* **Mitigation Steps**:
* Ensure that tokens are bound to the user session or other user-specific attributes.
2024-02-05 02:28:59 +00:00
## **Session Invalidation in Logout/Password Reset**
2024-04-06 16:25:58 +00:00
* Ensuring that sessions are invalidated when a user logs out or resets their password.
* **Mitigation Steps**:
* Implement proper session management, ensuring that all sessions are invalidated upon logout or password reset.
2024-02-06 03:10:38 +00:00
## **Session Invalidation in Logout/Password Reset**
2024-04-06 16:25:58 +00:00
* Reset tokens should have an expiration time after which they become invalid.
* **Mitigation Steps**:
* Set a reasonable expiration time for reset tokens and strictly enforce it server-side.
2024-02-05 02:28:59 +00:00
2024-02-08 21:36:35 +00:00
## References
2024-04-06 16:25:58 +00:00
2024-02-05 02:28:59 +00:00
* [https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token ](https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token )
2021-06-27 15:43:01 +00:00
2024-05-05 17:56:05 +00:00
< figure > < img src = "../.gitbook/assets/image (380).png" alt = "" > < figcaption > < / figcaption > < / figure >
2023-07-14 15:03:41 +00:00
2023-12-04 15:45:05 +00:00
Join [**HackenProof Discord** ](https://discord.com/invite/N3FrSbmwdy ) server to communicate with experienced hackers and bug bounty hunters!
2022-10-27 23:22:18 +00:00
2023-12-04 15:45:05 +00:00
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
2022-10-27 23:22:18 +00:00
2023-12-04 15:45:05 +00:00
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Join us on** [**Discord** ](https://discord.com/invite/N3FrSbmwdy ) and start collaborating with top hackers today!
2022-10-27 23:22:18 +00:00
2024-07-19 14:09:38 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Learn & practice GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-19 14:09:38 +00:00
< summary > Support HackTricks< / summary >
2023-12-31 01:25:17 +00:00
2024-07-19 14:09:38 +00:00
* Check the [**subscription plans** ](https://github.com/sponsors/carlospolop )!
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 14:09:38 +00:00
{% endhint %}