hacktricks/pentesting-web/reset-password.md

12 KiB

Reset/Forgotten Password Bypass

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Password Reset Token Leak Via Referrer

  • The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.
  • Impact: Potential account takeover via Cross-Site Request Forgery (CSRF) attacks.
  • Exploitation: To check if a password reset token is leaking in the referer header, request a password reset to your email address and click the reset link provided. Do not change your password immediately. Instead, navigate to a third-party website (like Facebook or Twitter) while intercepting the requests using Burp Suite. Inspect the requests to see if the referer header contains the password reset token, as this could expose sensitive information to third parties.
  • References:
  • HackerOne Report 342693
  • HackerOne Report 272379
  • Password Reset Token Leak Article

Password Reset Poisoning

  • Attackers may manipulate the Host header during password reset requests to point the reset link to a malicious site.
  • Impact: Leads to potential account takeover by leaking reset tokens to attackers.
  • Mitigation Steps:
  • Validate the Host header against a whitelist of allowed domains.
  • Use secure, server-side methods to generate absolute URLs.
  • Patch: Use $_SERVER['SERVER_NAME'] to construct password reset URLs instead of $_SERVER['HTTP_HOST'].
  • References:
  • Acunetix Article on Password Reset Poisoning

Password Reset By Manipulating Email Parameter

Attackers can manipulate the password reset request by adding additional email parameters to divert the reset link.

  • Add attacker email as second parameter using &
POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com
  • Ongeza barua pepe ya mshambuliaji kama parameter ya pili ukitumia %20
POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com
  • Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia |
POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com
  • Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia cc
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
  • Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia bcc
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
  • Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia ,
POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"
  • Ongeza barua pepe ya mshambuliaji kama parameter ya pili katika array ya json
POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}

Kubadilisha Barua Pepe na Nywila ya Mtumiaji yeyote kupitia Vigezo vya API

  • Washambuliaji wanaweza kubadilisha vigezo vya barua pepe na nywila katika maombi ya API ili kubadilisha akauti.
POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})

Hakuna Kizuizi cha Kiwango: Ujumbe wa Barua Pepe

  • Ukosefu wa kizuizi cha kiwango kwenye maombi ya kurekebisha nenosiri kunaweza kusababisha ujumbe wa barua pepe, ukimzidisha mtumiaji kwa barua pepe za kurekebisha.
  • Hatua za Kupunguza:
  • Tekeleza kizuizi cha kiwango kulingana na anwani ya IP au akaunti ya mtumiaji.
  • Tumia changamoto za CAPTCHA kuzuia matumizi ya kiotomatiki.
  • Marejeo:
  • Ripoti ya HackerOne 280534

Jifunze Jinsi Token ya Kurekebisha Nenosiri Inavyotengenezwa

  • Kuelewa muundo au njia nyuma ya uzalishaji wa token kunaweza kusababisha kutabiri au kujaribu nguvu token. Chaguzi kadhaa:
  • Kulingana na Wakati
  • Kulingana na UserID
  • Kulingana na barua pepe ya Mtumiaji
  • Kulingana na Jina la Kwanza na Jina la Mwisho
  • Kulingana na Tarehe ya Kuzaliwa
  • Kulingana na Cryptography
  • Hatua za Kupunguza:
  • Tumia mbinu thabiti za kisasa za cryptographic kwa ajili ya uzalishaji wa token.
  • Hakikisha kutokuwa na utabiri na urefu wa kutosha ili kuzuia utabiri.
  • Zana: Tumia Burp Sequencer kuchambua kutokuwa na utabiri kwa token.

UUID Inayoweza Kukisiwa

  • Ikiwa UUIDs (toleo la 1) zinaweza kukisiwa au kutabiriwa, washambuliaji wanaweza kujaribu nguvu ili kuzalisha token za kurekebisha halali. Angalia:

{% content-ref url="uuid-insecurities.md" %} uuid-insecurities.md {% endcontent-ref %}

  • Hatua za Kupunguza:
  • Tumia toleo la GUID 4 kwa ajili ya kutokuwa na utabiri au tekeleza hatua za ziada za usalama kwa matoleo mengine.
  • Zana: Tumia guidtool kwa ajili ya kuchambua na kuzalisha GUIDs.

Urekebishaji wa Majibu: Badilisha Jibu Mbaya na Jibu Nzuri

  • Kubadilisha majibu ya HTTP ili kupita ujumbe wa makosa au vizuizi.
  • Hatua za Kupunguza:
  • Tekeleza ukaguzi wa upande wa seva ili kuhakikisha uadilifu wa majibu.
  • Tumia njia salama za mawasiliano kama HTTPS ili kuzuia mashambulizi ya mtu katikati.
  • Marejeo:
  • Kosa Muhimu katika Tukio la Bug Bounty la Moja kwa Moja

Kutumia Token Iliyokwisha Muda

  • Kuangalia ikiwa token zilizokwisha muda zinaweza kutumika bado kwa ajili ya kurekebisha nenosiri.
  • Hatua za Kupunguza:
  • Tekeleza sera kali za kumalizika kwa token na kuthibitisha kumalizika kwa token upande wa seva.

Token ya Kurekebisha Nenosiri kwa Njia ya Nguvu

  • Kujaribu kujaribu nguvu token ya kurekebisha kwa kutumia zana kama Burpsuite na IP-Rotator ili kupita vizuizi vya kiwango kulingana na IP.
  • Hatua za Kupunguza:
  • Tekeleza kizuizi thabiti cha kiwango na mifumo ya kufunga akaunti.
  • Fuata shughuli za kushuku zinazoweza kuashiria mashambulizi ya nguvu.

Jaribu Kutumia Token Yako

  • Kuangalia ikiwa token ya kurekebisha ya mshambuliaji inaweza kutumika pamoja na barua pepe ya mwathirika.
  • Hatua za Kupunguza:
  • Hakikisha kwamba token zimefungwa kwa kikao cha mtumiaji au sifa nyingine maalum za mtumiaji.

Ubatilishaji wa Kikao katika Kutoka/Kurekebisha Nenosiri

  • Hakikisha kwamba vikao vinabatilishwa wakati mtumiaji anapotoka au kurekebisha nenosiri yao.
  • Hatua za Kupunguza:
  • Tekeleza usimamizi mzuri wa vikao, kuhakikisha kwamba vikao vyote vinabatilishwa wakati wa kutoka au kurekebisha nenosiri.

Ubatilishaji wa Kikao katika Kutoka/Kurekebisha Nenosiri

  • Token za kurekebisha zinapaswa kuwa na muda wa kumalizika baada ya hapo zinakuwa batili.
  • Hatua za Kupunguza:
  • Weka muda wa kumalizika unaofaa kwa token za kurekebisha na utekekeleze kwa ukali upande wa seva.

Marejeo

Jiunge na HackenProof Discord server ili kuwasiliana na hackers wenye uzoefu na wawindaji wa bug bounty!

Maoni ya Udukuzi
Shiriki na maudhui yanayochunguza msisimko na changamoto za udukuzi

Habari za Udukuzi kwa Wakati Halisi
Baki na habari za kisasa katika ulimwengu wa udukuzi kupitia habari na maoni ya wakati halisi

Matangazo ya Hivi Punde
Baki na habari kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa

Jiunge nasi kwenye Discord na uanze kushirikiana na hackers bora leo!

{% hint style="success" %} Jifunze na fanya mazoezi ya Udukuzi wa AWS:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya Udukuzi wa GCP: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}