top of page
This site was designed with the
.com
website builder. Create your website today.Start Now
Search
  • Writer's pictureHackt3r
    • Apr 10, 2022
    • 3 min read

Reset the Password for Vulnerability

Hello everyone, hope you all are doing good.


Today I will be sharing some tips on different kinds of vulnerabilities you can find in password reset functionalities. We all know that passwords are sensitive information of a user that should not be known to anyone except you right! If it is being targeted for an attack then it will be a serious vulnerability. So let us learn how to find such loopholes.



1> Password reset token leakage via referrer

In one of my previous posts, I have given a detailed brief on how to find this vulnerability. So let us see an overview of how to find this.

  1. Request for a password reset link to your account.

  2. Open the Password reset page from the inbox.

  3. Click on any social media link you see in that email.

  4. Intercept the request using burp suite.

  5. If you can see the token for reset password in the referrer then you have found it.

2> Password reset token leakage via Host Header Poisoning

Instead of the token being leaked in the referrer, in this attack the victim is directed to the attacker’s evil web application using the headers.

  1. Open your browser and start Burp Suite.

  2. Visit the forgot password page.

  3. Enter the victim’s email address and click on Reset Password.

  4. Intercept the HTTP request in Burp Suite & change the Host Header to your malicious site/server.

Some examples of this would be


 — host: example.com to host: evil.com


 — host: example.com to host: example.com, X-Forwaded-Host: evil.com


 — host: example.com to host: example.com, host: evil.com


3> No Rate Limiting on Password Reset functionality

We know that if Rate limiting doesn’t exist, there is a chance of email flooding on the victim’s account which is a serious defacement to the organization.

  1. Find the reset password page on the web application.

  2. Switch on Burp Suite and give the victim email in the required field and capture the request.

  3. Send the request to Intruder, in the positions tab clear all the fields, and in the payloads tab select NULL payloads as payload type and generate more than 100 payloads.

  4. If you are getting 200 responses for all the requests you are making then there you go, you got yourself a nice easy bug!!!

4> Password reset link not Expiring

After an injection has been used, it should not be used again. So does applies to Password Reset links. They are part of the sensitive information of users and allowing changes to them multiple times by just one means is dangerous. Some of the ways it can be exploited.

  1. If the password reset link doesn’t expire after one use.

  2. If the password reset link doesn’t have a certain time to get expired.

  3. If you have requested the link once again even after you get one and the old link didn’t get expired.

5> Behaviour of OTPs

Some web applications send you OTPs to check if you are the actual user. This is called 2-Factor Authentication. This is used as an additional layer of security, but this can also be bypassed.


 — Check how the OTP is generated, if it is giving you sequential numbers for every OTP you request then try the next number for your next reset.

 — Same can be tested for token being sent in the URL.


6> Changing the Response

We all know there are different responses we see in web applications. So there is a slight possibility that if we can alter the response code, we can bypass the restriction.


— Like if we can replace the 4xx response code with 200, there is a chance we can bypass the restriction and get into the desired web page.

 — Replacing unsuccessful with successful, unauthorized with OK.


7> Brute-forcing the token

Brute-forcing is the way of trial and error to guess login credentials. But we can also use this method to guess tokens or any other things.


8> Try manipulating the Email parameter

Change the email parameter in the burp suite, after you have captured the request.


— email=victim@email.com&email=attacker@gmail.com

— email=victim@email.com%20email=attacker@gmail.com

— email=victim@email.com | email=attacker@gmail.com

— email=”victim@gmail.tld!0a!0dcc:attacker@gmail.tld”

— email=”victim@gmail.tld!0a!0dbcc:attacker@gmail.tld”

— email=”victim@gmail.tld”,email=”attacker@gmail.tld”


So these are some of the ways you can check for vulnerability in the password reset functionality. Hope you enjoyed my article.



Catch you all in the next post with a vulnerability. Check out my Instagram to know more about Tips and Tricks to finding bugs.


Till then take care and Happy Hacking!!!👋👋

14 views0 comments

Recent Posts

See All
bottom of page