hacktricks/pentesting-web/reset-password.md

230 lines
12 KiB
Markdown
Raw Normal View History

# Reset/Forgotten Password Bypass
2022-04-28 16:01:33 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
<details>
2022-04-28 16:01:33 +00:00
<summary>Support HackTricks</summary>
2023-12-31 01:25:17 +00:00
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
{% endhint %}
2022-04-28 16:01:33 +00:00
<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
2023-02-27 09:28:45 +00:00
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
2024-02-11 02:13:58 +00:00
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
2024-02-11 02:13:58 +00:00
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
2024-02-11 02:13:58 +00:00
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
2024-02-11 02:13:58 +00:00
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
## **Password Reset Token Leak Via Referrer**
* The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.
* **Impact**: Potential account takeover via Cross-Site Request Forgery (CSRF) attacks.
* **Exploitation**: To check if a password reset token is leaking in the referer header, **request a password reset** to your email address and **click the reset link** provided. **Do not change your password** immediately. Instead, **navigate to a third-party website** (like Facebook or Twitter) while **intercepting the requests using Burp Suite**. Inspect the requests to see if the **referer header contains the password reset token**, as this could expose sensitive information to third parties.
* **References**:
* [HackerOne Report 342693](https://hackerone.com/reports/342693)
* [HackerOne Report 272379](https://hackerone.com/reports/272379)
* [Password Reset Token Leak Article](https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a)
## **Password Reset Poisoning**
* Attackers may manipulate the Host header during password reset requests to point the reset link to a malicious site.
* **Impact**: Leads to potential account takeover by leaking reset tokens to attackers.
* **Mitigation Steps**:
* Validate the Host header against a whitelist of allowed domains.
* Use secure, server-side methods to generate absolute URLs.
* **Patch**: Use `$_SERVER['SERVER_NAME']` to construct password reset URLs instead of `$_SERVER['HTTP_HOST']`.
* **References**:
* [Acunetix Article on Password Reset Poisoning](https://www.acunetix.com/blog/articles/password-reset-poisoning/)
## **Password Reset By Manipulating Email Parameter**
Attackers can manipulate the password reset request by adding additional email parameters to divert the reset link.
* Add attacker email as second parameter using &
```php
POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili ukitumia %20
```php
POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia |
```php
POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia cc
```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia bcc
```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia ,
```php
POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"
```
* Ongeza barua pepe ya mshambuliaji kama parameter ya pili katika array ya json
```php
POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}
```
* **Hatua za Kupunguza**:
* Pitia na uthibitishe vigezo vya barua pepe upande wa seva.
* Tumia taarifa zilizopangwa au maswali yenye vigezo ili kuzuia mashambulizi ya kuingiza.
* **Marejeo**:
* [https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be](https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be)
* [https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/](https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/)
* [https://twitter.com/HusseiN98D/status/1254888748216655872](https://twitter.com/HusseiN98D/status/1254888748216655872)
## **Kubadilisha Barua Pepe na Nywila ya Mtumiaji yeyote kupitia Vigezo vya API**
* Washambuliaji wanaweza kubadilisha vigezo vya barua pepe na nywila katika maombi ya API ili kubadilisha akauti.
```php
POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})
```
* **Hatua za Kupunguza**:
* Hakikisha uthibitisho mkali wa vigezo na ukaguzi wa uthibitisho.
* Tekeleza ufuatiliaji na kumbukumbu thabiti ili kugundua na kujibu shughuli za kushuku.
* **Marejeo**:
* [Uchukuaji Kamili wa Akaunti kupitia Urekebishaji wa Vigezo vya API](https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240)
## **Hakuna Kizuizi cha Kiwango: Ujumbe wa Barua Pepe**
* Ukosefu wa kizuizi cha kiwango kwenye maombi ya kurekebisha nenosiri kunaweza kusababisha ujumbe wa barua pepe, ukimzidisha mtumiaji kwa barua pepe za kurekebisha.
* **Hatua za Kupunguza**:
* Tekeleza kizuizi cha kiwango kulingana na anwani ya IP au akaunti ya mtumiaji.
* Tumia changamoto za CAPTCHA kuzuia matumizi ya kiotomatiki.
* **Marejeo**:
* [Ripoti ya HackerOne 280534](https://hackerone.com/reports/280534)
## **Jifunze Jinsi Token ya Kurekebisha Nenosiri Inavyotengenezwa**
* Kuelewa muundo au njia nyuma ya uzalishaji wa token kunaweza kusababisha kutabiri au kujaribu nguvu token. Chaguzi kadhaa:
* Kulingana na Wakati
* Kulingana na UserID
* Kulingana na barua pepe ya Mtumiaji
* Kulingana na Jina la Kwanza na Jina la Mwisho
* Kulingana na Tarehe ya Kuzaliwa
* Kulingana na Cryptography
* **Hatua za Kupunguza**:
* Tumia mbinu thabiti za kisasa za cryptographic kwa ajili ya uzalishaji wa token.
* Hakikisha kutokuwa na utabiri na urefu wa kutosha ili kuzuia utabiri.
* **Zana**: Tumia Burp Sequencer kuchambua kutokuwa na utabiri kwa token.
## **UUID Inayoweza Kukisiwa**
* Ikiwa UUIDs (toleo la 1) zinaweza kukisiwa au kutabiriwa, washambuliaji wanaweza kujaribu nguvu ili kuzalisha token za kurekebisha halali. Angalia:
2024-02-11 02:13:58 +00:00
{% content-ref url="uuid-insecurities.md" %}
[uuid-insecurities.md](uuid-insecurities.md)
{% endcontent-ref %}
* **Hatua za Kupunguza**:
* Tumia toleo la GUID 4 kwa ajili ya kutokuwa na utabiri au tekeleza hatua za ziada za usalama kwa matoleo mengine.
* **Zana**: Tumia [guidtool](https://github.com/intruder-io/guidtool) kwa ajili ya kuchambua na kuzalisha GUIDs.
2024-02-11 02:13:58 +00:00
## **Urekebishaji wa Majibu: Badilisha Jibu Mbaya na Jibu Nzuri**
* Kubadilisha majibu ya HTTP ili kupita ujumbe wa makosa au vizuizi.
* **Hatua za Kupunguza**:
* Tekeleza ukaguzi wa upande wa seva ili kuhakikisha uadilifu wa majibu.
* Tumia njia salama za mawasiliano kama HTTPS ili kuzuia mashambulizi ya mtu katikati.
* **Marejeo**:
* [Kosa Muhimu katika Tukio la Bug Bounty la Moja kwa Moja](https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3)
## **Kutumia Token Iliyokwisha Muda**
* Kuangalia ikiwa token zilizokwisha muda zinaweza kutumika bado kwa ajili ya kurekebisha nenosiri.
* **Hatua za Kupunguza**:
* Tekeleza sera kali za kumalizika kwa token na kuthibitisha kumalizika kwa token upande wa seva.
## **Token ya Kurekebisha Nenosiri kwa Njia ya Nguvu**
* Kujaribu kujaribu nguvu token ya kurekebisha kwa kutumia zana kama Burpsuite na IP-Rotator ili kupita vizuizi vya kiwango kulingana na IP.
* **Hatua za Kupunguza**:
* Tekeleza kizuizi thabiti cha kiwango na mifumo ya kufunga akaunti.
* Fuata shughuli za kushuku zinazoweza kuashiria mashambulizi ya nguvu.
## **Jaribu Kutumia Token Yako**
* Kuangalia ikiwa token ya kurekebisha ya mshambuliaji inaweza kutumika pamoja na barua pepe ya mwathirika.
* **Hatua za Kupunguza**:
* Hakikisha kwamba token zimefungwa kwa kikao cha mtumiaji au sifa nyingine maalum za mtumiaji.
## **Ubatilishaji wa Kikao katika Kutoka/Kurekebisha Nenosiri**
* Hakikisha kwamba vikao vinabatilishwa wakati mtumiaji anapotoka au kurekebisha nenosiri yao.
* **Hatua za Kupunguza**:
* Tekeleza usimamizi mzuri wa vikao, kuhakikisha kwamba vikao vyote vinabatilishwa wakati wa kutoka au kurekebisha nenosiri.
## **Ubatilishaji wa Kikao katika Kutoka/Kurekebisha Nenosiri**
* Token za kurekebisha zinapaswa kuwa na muda wa kumalizika baada ya hapo zinakuwa batili.
* **Hatua za Kupunguza**:
* Weka muda wa kumalizika unaofaa kwa token za kurekebisha na utekekeleze kwa ukali upande wa seva.
2024-02-11 02:13:58 +00:00
## Marejeo
2024-02-05 02:28:59 +00:00
* [https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token](https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token)
<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
2023-07-14 15:03:41 +00:00
Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na hackers wenye uzoefu na wawindaji wa bug bounty!
2022-10-27 23:22:18 +00:00
**Maoni ya Udukuzi**\
Shiriki na maudhui yanayochunguza msisimko na changamoto za udukuzi
2022-10-27 23:22:18 +00:00
**Habari za Udukuzi kwa Wakati Halisi**\
Baki na habari za kisasa katika ulimwengu wa udukuzi kupitia habari na maoni ya wakati halisi
2023-02-27 09:28:45 +00:00
**Matangazo ya Hivi Punde**\
Baki na habari kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa
2023-02-27 09:28:45 +00:00
**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na uanze kushirikiana na hackers bora leo!
{% hint style="success" %}
Jifunze na fanya mazoezi ya Udukuzi wa AWS:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya Udukuzi wa GCP: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% endhint %}