# Reset/Forgotten Password Bypass {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! **Hacking Insights**\ Engage with content that delves into the thrill and challenges of hacking **Real-Time Hack News**\ Keep up-to-date with fast-paced hacking world through real-time news and insights **Latest Announcements**\ Stay informed with the newest bug bounties launching and crucial platform updates **Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! ## **Password Reset Token Leak Via Referrer** * The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset. * **Impact**: Potential account takeover via Cross-Site Request Forgery (CSRF) attacks. * **Exploitation**: To check if a password reset token is leaking in the referer header, **request a password reset** to your email address and **click the reset link** provided. **Do not change your password** immediately. Instead, **navigate to a third-party website** (like Facebook or Twitter) while **intercepting the requests using Burp Suite**. Inspect the requests to see if the **referer header contains the password reset token**, as this could expose sensitive information to third parties. * **References**: * [HackerOne Report 342693](https://hackerone.com/reports/342693) * [HackerOne Report 272379](https://hackerone.com/reports/272379) * [Password Reset Token Leak Article](https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a) ## **Password Reset Poisoning** * Attackers may manipulate the Host header during password reset requests to point the reset link to a malicious site. * **Impact**: Leads to potential account takeover by leaking reset tokens to attackers. * **Mitigation Steps**: * Validate the Host header against a whitelist of allowed domains. * Use secure, server-side methods to generate absolute URLs. * **Patch**: Use `$_SERVER['SERVER_NAME']` to construct password reset URLs instead of `$_SERVER['HTTP_HOST']`. * **References**: * [Acunetix Article on Password Reset Poisoning](https://www.acunetix.com/blog/articles/password-reset-poisoning/) ## **Password Reset By Manipulating Email Parameter** Attackers can manipulate the password reset request by adding additional email parameters to divert the reset link. * Add attacker email as second parameter using & ```php POST /resetPassword [...] email=victim@email.com&email=attacker@email.com ``` * Add attacker email as second parameter using %20 ```php POST /resetPassword [...] email=victim@email.com%20email=attacker@email.com ``` * Add attacker email as second parameter using | ```php POST /resetPassword [...] email=victim@email.com|email=attacker@email.com ``` * Add attacker email as second parameter using cc ```php POST /resetPassword [...] email="victim@mail.tld%0a%0dcc:attacker@mail.tld" ``` * Add attacker email as second parameter using bcc ```php POST /resetPassword [...] email="victim@mail.tld%0a%0dbcc:attacker@mail.tld" ``` * Add attacker email as second parameter using , ```php POST /resetPassword [...] email="victim@mail.tld",email="attacker@mail.tld" ``` * Add attacker email as second parameter in json array ```php POST /resetPassword [...] {"email":["victim@mail.tld","atracker@mail.tld"]} ``` * **Mitigation Steps**: * Properly parse and validate email parameters server-side. * Use prepared statements or parameterized queries to prevent injection attacks. * **References**: * [https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be](https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be) * [https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/](https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/) * [https://twitter.com/HusseiN98D/status/1254888748216655872](https://twitter.com/HusseiN98D/status/1254888748216655872) ## **Changing Email And Password of any User through API Parameters** * Attackers can modify email and password parameters in API requests to change account credentials. ```php POST /api/changepass [...] ("form": {"email":"victim@email.tld","password":"12345678"}) ``` * **Mitigation Steps**: * Ensure strict parameter validation and authentication checks. * Implement robust logging and monitoring to detect and respond to suspicious activities. * **Reference**: * [Full Account Takeover via API Parameter Manipulation](https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240) ## **No Rate Limiting: Email Bombing** * Lack of rate limiting on password reset requests can lead to email bombing, overwhelming the user with reset emails. * **Mitigation Steps**: * Implement rate limiting based on IP address or user account. * Use CAPTCHA challenges to prevent automated abuse. * **References**: * [HackerOne Report 280534](https://hackerone.com/reports/280534) ## **Find out How Password Reset Token is Generated** * Understanding the pattern or method behind token generation can lead to predicting or brute-forcing tokens. Some options: * Based Timestamp * Based on the UserID * Based on email of User * Based on Firstname and Lastname * Based on Date of Birth * Based on Cryptography * **Mitigation Steps**: * Use strong, cryptographic methods for token generation. * Ensure sufficient randomness and length to prevent predictability. * **Tools**: Use Burp Sequencer to analyze the randomness of tokens. ## **Guessable UUID** * If UUIDs (version 1) are guessable or predictable, attackers may brute-force them to generate valid reset tokens. Check: {% content-ref url="uuid-insecurities.md" %} [uuid-insecurities.md](uuid-insecurities.md) {% endcontent-ref %} * **Mitigation Steps**: * Use GUID version 4 for randomness or implement additional security measures for other versions. * **Tools**: Use [guidtool](https://github.com/intruder-io/guidtool) for analyzing and generating GUIDs. ## **Response Manipulation: Replace Bad Response With Good One** * Manipulating HTTP responses to bypass error messages or restrictions. * **Mitigation Steps**: * Implement server-side checks to ensure response integrity. * Use secure communication channels like HTTPS to prevent man-in-the-middle attacks. * **Reference**: * [Critical Bug in Live Bug Bounty Event](https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3) ## **Using Expired Token** * Testing whether expired tokens can still be used for password reset. * **Mitigation Steps**: * Implement strict token expiration policies and validate token expiry server-side. ## **Brute Force Password Reset Token** * Attempting to brute-force the reset token using tools like Burpsuite and IP-Rotator to bypass IP-based rate limits. * **Mitigation Steps**: * Implement robust rate-limiting and account lockout mechanisms. * Monitor for suspicious activities indicative of brute-force attacks. ## **Try Using Your Token** * Testing if an attacker's reset token can be used in conjunction with the victim's email. * **Mitigation Steps**: * Ensure that tokens are bound to the user session or other user-specific attributes. ## **Session Invalidation in Logout/Password Reset** * Ensuring that sessions are invalidated when a user logs out or resets their password. * **Mitigation Steps**: * Implement proper session management, ensuring that all sessions are invalidated upon logout or password reset. ## **Session Invalidation in Logout/Password Reset** * Reset tokens should have an expiration time after which they become invalid. * **Mitigation Steps**: * Set a reasonable expiration time for reset tokens and strictly enforce it server-side. ## References * [https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token](https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token)
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters! **Hacking Insights**\ Engage with content that delves into the thrill and challenges of hacking **Real-Time Hack News**\ Keep up-to-date with fast-paced hacking world through real-time news and insights **Latest Announcements**\ Stay informed with the newest bug bounties launching and crucial platform updates **Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today! {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}