Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Account Takeover via Exploiting Misconfigured Password Reset Feature

Tuhin Bose
November 06, 2021

Account Takeover via Exploiting Misconfigured Password Reset Feature

Implementing a password reset function is a very challenging part for every developers. There is no well-defined standard on how to implement a secure password reset functionality in an application. That's why every application has a different way of implementation like sending unique URLs, generating a temporary password, security questions, OTP etc.

Every developer has a different approach of implementing such feature. That's why every time the hacker has to think of a new way to hack. In this talk, I'll be briefly telling some methodologies for achieving Account Takeover via exploiting misconfigured password reset functionality.

Tuhin Bose

November 06, 2021
Tweet

More Decks by Tuhin Bose

Other Decks in Technology

Transcript

  1. Conclusion & QNA Conclusion & QNA What is Password What

    is Password Reset Feature? Reset Feature? Password Reset Password Reset Implementation Implementation Techniques Used by Techniques Used by Developers Developers ATO via Hacking ATO via Hacking Misconfigured Misconfigured Password Reset Feature Password Reset Feature AGENDA
  2. Reset password is the action of invalidating the current password

    for an account on an application and then setting a new one. Most of the services have a password reset feature ("Forgot Password" service) which allows you to reset your password.
  3. Host Header Injection - Password Reset Host Header Injection -

    Password Reset Poisoning Poisoning 1 1. . Host: evil.com or X-Forwarded-Host: evil.com
  4. 2. Modifying Request-URI 2. Modifying Request-URI POST https://attacker.com/forgot-password HTTP/1.1 POST

    @attacker.com/forgot-password HTTP/1.1 POST :@attacker.com/forgot-password HTTP/1.1 POST /[email protected] HTTP/1.1
  5. 5. Insecure Direct Object Reference (IDOR) 5. Insecure Direct Object

    Reference (IDOR) Use Param Miner to get extra parameters (or append previously known parameters) in the request. Now try IDOR.
  6. 6. Try homograph on password reset. 6. Try homograph on

    password reset. [email protected] email=victim@gmаil.com [email protected] Using Unicode: Cyrillic Small Letter A
  7. 6. Try homograph on password reset. 6. Try homograph on

    password reset. https://github.com/UndeadSec/EvilURL
  8. 6. Try homograph on password reset. 6. Try homograph on

    password reset. Steps to reproduce: 1. Create a new account with [email protected] 2. Go to password reset page and enter this email: tuhin1729@gmаil.com.xyz.burpcollaborator.net [Here "a" is different] If it's vulnerable then you'll get the password reset link to your collaborator server.
  9. 7. If they are sending an otp for password reset,

    7. If they are sending an otp for password reset, try 2fa bypass techniques. try 2fa bypass techniques. https://tinyurl.com/tuhin1729-2fa
  10. 9. Weak Encryption 9. Weak Encryption While generating password reset

    tokens, sometimes developers use weak encryption algorithms. For example, sometimes they just encrypt the user-id/username of user + timestrap using some weak encryption algorithms .
  11. 11. Change the request method and content-type and observe how

    the application is responding. Original Modified
  12. 12. Append null bytes after your email and observe the

    response. {"email":"[email protected]"} {"email":"[email protected]%00"} %00, %0d%0a, %0d, %0a, %09, %0C, %20