hacktricks/pentesting-web/reset-password.md

# Reset/Forgotten Password Bypass

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

## **Password Reset Token Leak Via Referrer**
   * The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.
   * **Impact**: Potential account takeover via Cross-Site Request Forgery (CSRF) attacks.
   * **References**:
     - [HackerOne Report 342693](https://hackerone.com/reports/342693)
     - [HackerOne Report 272379](https://hackerone.com/reports/272379)
     - [Password Reset Token Leak Article](https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a)

## **Password Reset Poisoning**
   * Attackers may manipulate the Host header during password reset requests to point the reset link to a malicious site.
   * **Patch**: Use `$_SERVER['SERVER_NAME']` to construct password reset URLs instead of `$_SERVER['HTTP_HOST']`.
   * **Impact**: Leads to potential account takeover by leaking reset tokens to attackers.
   * **Mitigation Steps**:
     - Validate the Host header against a whitelist of allowed domains.
     - Use secure, server-side methods to generate absolute URLs.
   * **References**:
     - [Acunetix Article on Password Reset Poisoning](https://www.acunetix.com/blog/articles/password-reset-poisoning/)

## **Password Reset By Manipulating Email Parameter**
   * Attackers can manipulate the password reset request by adding additional email parameters to divert the reset link.
   * **Mitigation Steps**:
     - Properly parse and validate email parameters server-side.
     - Use prepared statements or parameterized queries to prevent injection attacks.
   * **References**:
     - [Readme.com Account Takeover](https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be)

## **Changing Email And Password of any User through API Parameters**
   * Attackers can modify email and password parameters in API requests to change account credentials.
   * **Mitigation Steps**:
     - Ensure strict parameter validation and authentication checks.
     - Implement robust logging and monitoring to detect and respond to suspicious activities.
   * **Reference**:
     - [Full Account Takeover via API Parameter Manipulation](https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240)

## **No Rate Limiting: Email Bombing**
   * Lack of rate limiting on password reset requests can lead to email bombing, overwhelming the user with reset emails.
   * **Mitigation Steps**:
     - Implement rate limiting based on IP address or user account.
     - Use CAPTCHA challenges to prevent automated abuse.
   * **References**:
     - [HackerOne Report 280534](https://hackerone.com/reports/280534)

## **Find out How Password Reset Token is Generated**
   * Understanding the pattern or method behind token generation can lead to predicting or brute-forcing tokens.
   * **Mitigation Steps**:
     - Use strong, cryptographic methods for token generation.
     - Ensure sufficient randomness and length to prevent predictability.
   * **Tools**: Use Burp Sequencer to analyze the randomness of tokens.

## **Guessable GUID**
   * If GUIDs (e.g., version 1) are guessable or predictable, attackers may brute-force them to generate valid reset tokens.
   * **Mitigation Steps**:
     - Use GUID version 4 for randomness or implement additional security measures for other versions.
   * **Tools**: Use [guidtool](https://github.com/intruder-io/guidtool) for analyzing and generating GUIDs.

## **Response Manipulation: Replace Bad Response With Good One**
   * Manipulating HTTP responses to bypass error messages or restrictions.
   * **Mitigation Steps**:
     - Implement server-side checks to ensure response integrity.
     - Use secure communication channels like HTTPS to prevent man-in-the-middle attacks.
   * **Reference**:
     - [Critical Bug in Live Bug Bounty Event](https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3)

## **Using Expired Token**
   * Testing whether expired tokens can still be used for password reset.
   * **Mitigation Steps**:
     - Implement strict token expiration policies and validate token expiry server-side.

 ## **Brute Force Password Reset Token**
   * Attempting to brute-force the reset token using tools like Burpsuite and IP-Rotator to bypass IP-based rate limits.
   * **Mitigation Steps**:
     - Implement robust rate-limiting and account lockout mechanisms.
     - Monitor for suspicious activities indicative of brute-force attacks.

## **Try Using Your Token**
   * Testing if an attacker's reset token can be used in conjunction with the victim's email.
   * **Mitigation Steps**:
     - Ensure that tokens are bound to the user session or other user-specific attributes.

## **Session Invalidation in Logout/Password Reset**
   * Ensuring that sessions are invalidated when a user logs out or resets their password.
   * **Mitigation Steps**:
     - Implement proper session management, ensuring that all sessions are invalidated upon logout or password reset.

## **Session Invalidation in Logout/Password Reset**
   * Reset tokens should have an expiration time after which they become invalid.
   * **Mitigation Steps**:
     - Set a reasonable expiration time for reset tokens and strictly enforce it server-side.

# References
* [https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token](https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token)

<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>