hacktricks/pentesting-web/reset-password.md

# Reset/Forgotten Password Bypass

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

## **Password Reset Token Leak Via Referrer**

* The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.
* **Impact**: Potential account takeover via Cross-Site Request Forgery (CSRF) attacks.
* **Exploitation**: To check if a password reset token is leaking in the referer header, **request a password reset** to your email address and **click the reset link** provided. **Do not change your password** immediately. Instead, **navigate to a third-party website** (like Facebook or Twitter) while **intercepting the requests using Burp Suite**. Inspect the requests to see if the **referer header contains the password reset token**, as this could expose sensitive information to third parties.
* **References**:
* [HackerOne Report 342693](https://hackerone.com/reports/342693)
* [HackerOne Report 272379](https://hackerone.com/reports/272379)
* [Password Reset Token Leak Article](https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a)

## **Password Reset Poisoning**

* Attackers may manipulate the Host header during password reset requests to point the reset link to a malicious site.
* **Impact**: Leads to potential account takeover by leaking reset tokens to attackers.
* **Mitigation Steps**:
* Validate the Host header against a whitelist of allowed domains.
* Use secure, server-side methods to generate absolute URLs.
* **Patch**: Use `$_SERVER['SERVER_NAME']` to construct password reset URLs instead of `$_SERVER['HTTP_HOST']`.
* **References**:
* [Acunetix Article on Password Reset Poisoning](https://www.acunetix.com/blog/articles/password-reset-poisoning/)

## **Password Reset By Manipulating Email Parameter**

Attackers can manipulate the password reset request by adding additional email parameters to divert the reset link.

* Add attacker email as second parameter using &
```php
POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili ukitumia %20
```php
POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia |
```php
POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia cc
```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia bcc
```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia ,
```php
POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili katika array ya json
```php
POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}
```
* **Hatua za Kupunguza**:
* Pitia na uthibitishe vigezo vya barua pepe upande wa seva.
* Tumia taarifa zilizopangwa au maswali yenye vigezo ili kuzuia mashambulizi ya kuingiza.
* **Marejeo**:
* [https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be](https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be)
* [https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/](https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/)
* [https://twitter.com/HusseiN98D/status/1254888748216655872](https://twitter.com/HusseiN98D/status/1254888748216655872)

## **Kubadilisha Barua Pepe na Nywila ya Mtumiaji yeyote kupitia Vigezo vya API**

* Washambuliaji wanaweza kubadilisha vigezo vya barua pepe na nywila katika maombi ya API ili kubadilisha akauti.
```php
POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})
```
* **Hatua za Kupunguza**:
* Hakikisha uthibitisho mkali wa vigezo na ukaguzi wa uthibitisho.
* Tekeleza ufuatiliaji na kumbukumbu thabiti ili kugundua na kujibu shughuli za kushuku.
* **Marejeo**:
* [Uchukuaji Kamili wa Akaunti kupitia Urekebishaji wa Vigezo vya API](https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240)

## **Hakuna Kizuizi cha Kiwango: Ujumbe wa Barua Pepe**

* Ukosefu wa kizuizi cha kiwango kwenye maombi ya kurekebisha nenosiri kunaweza kusababisha ujumbe wa barua pepe, ukimzidisha mtumiaji kwa barua pepe za kurekebisha.
* **Hatua za Kupunguza**:
* Tekeleza kizuizi cha kiwango kulingana na anwani ya IP au akaunti ya mtumiaji.
* Tumia changamoto za CAPTCHA kuzuia matumizi ya kiotomatiki.
* **Marejeo**:
* [Ripoti ya HackerOne 280534](https://hackerone.com/reports/280534)

## **Jifunze Jinsi Token ya Kurekebisha Nenosiri Inavyotengenezwa**

* Kuelewa muundo au njia nyuma ya uzalishaji wa token kunaweza kusababisha kutabiri au kujaribu nguvu token. Chaguzi kadhaa:
* Kulingana na Wakati
* Kulingana na UserID
* Kulingana na barua pepe ya Mtumiaji
* Kulingana na Jina la Kwanza na Jina la Mwisho
* Kulingana na Tarehe ya Kuzaliwa
* Kulingana na Cryptography
* **Hatua za Kupunguza**:
* Tumia mbinu thabiti za kisasa za cryptographic kwa ajili ya uzalishaji wa token.
* Hakikisha kutokuwa na utabiri na urefu wa kutosha ili kuzuia utabiri.
* **Zana**: Tumia Burp Sequencer kuchambua kutokuwa na utabiri kwa token.

## **UUID Inayoweza Kukisiwa**

* Ikiwa UUIDs (toleo la 1) zinaweza kukisiwa au kutabiriwa, washambuliaji wanaweza kujaribu nguvu ili kuzalisha token za kurekebisha halali. Angalia:

{% content-ref url="uuid-insecurities.md" %}
[uuid-insecurities.md](uuid-insecurities.md)
{% endcontent-ref %}

* **Hatua za Kupunguza**:
* Tumia toleo la GUID 4 kwa ajili ya kutokuwa na utabiri au tekeleza hatua za ziada za usalama kwa matoleo mengine.
* **Zana**: Tumia [guidtool](https://github.com/intruder-io/guidtool) kwa ajili ya kuchambua na kuzalisha GUIDs.

## **Urekebishaji wa Majibu: Badilisha Jibu Mbaya na Jibu Nzuri**

* Kubadilisha majibu ya HTTP ili kupita ujumbe wa makosa au vizuizi.
* **Hatua za Kupunguza**:
* Tekeleza ukaguzi wa upande wa seva ili kuhakikisha uadilifu wa majibu.
* Tumia njia salama za mawasiliano kama HTTPS ili kuzuia mashambulizi ya mtu katikati.
* **Marejeo**:
* [Kosa Muhimu katika Tukio la Bug Bounty la Moja kwa Moja](https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3)

## **Kutumia Token Iliyokwisha Muda**

* Kuangalia ikiwa token zilizokwisha muda zinaweza kutumika bado kwa ajili ya kurekebisha nenosiri.
* **Hatua za Kupunguza**:
* Tekeleza sera kali za kumalizika kwa token na kuthibitisha kumalizika kwa token upande wa seva.

## **Token ya Kurekebisha Nenosiri kwa Njia ya Nguvu**

* Kujaribu kujaribu nguvu token ya kurekebisha kwa kutumia zana kama Burpsuite na IP-Rotator ili kupita vizuizi vya kiwango kulingana na IP.
* **Hatua za Kupunguza**:
* Tekeleza kizuizi thabiti cha kiwango na mifumo ya kufunga akaunti.
* Fuata shughuli za kushuku zinazoweza kuashiria mashambulizi ya nguvu.

## **Jaribu Kutumia Token Yako**

* Kuangalia ikiwa token ya kurekebisha ya mshambuliaji inaweza kutumika pamoja na barua pepe ya mwathirika.
* **Hatua za Kupunguza**:
* Hakikisha kwamba token zimefungwa kwa kikao cha mtumiaji au sifa nyingine maalum za mtumiaji.

## **Ubatilishaji wa Kikao katika Kutoka/Kurekebisha Nenosiri**

* Hakikisha kwamba vikao vinabatilishwa wakati mtumiaji anapotoka au kurekebisha nenosiri yao.
* **Hatua za Kupunguza**:
* Tekeleza usimamizi mzuri wa vikao, kuhakikisha kwamba vikao vyote vinabatilishwa wakati wa kutoka au kurekebisha nenosiri.

## **Ubatilishaji wa Kikao katika Kutoka/Kurekebisha Nenosiri**

* Token za kurekebisha zinapaswa kuwa na muda wa kumalizika baada ya hapo zinakuwa batili.
* **Hatua za Kupunguza**:
* Weka muda wa kumalizika unaofaa kwa token za kurekebisha na utekekeleze kwa ukali upande wa seva.

## Marejeo

* [https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token](https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token)

<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>

Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na hackers wenye uzoefu na wawindaji wa bug bounty!

**Maoni ya Udukuzi**\
Shiriki na maudhui yanayochunguza msisimko na changamoto za udukuzi

**Habari za Udukuzi kwa Wakati Halisi**\
Baki na habari za kisasa katika ulimwengu wa udukuzi kupitia habari na maoni ya wakati halisi

**Matangazo ya Hivi Punde**\
Baki na habari kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa

**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na uanze kushirikiana na hackers bora leo!

{% hint style="success" %}
Jifunze na fanya mazoezi ya Udukuzi wa AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya Udukuzi wa GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}