31 lines
2.5 KiB
Markdown
31 lines
2.5 KiB
Markdown
|
|
||
|
## Resetting User Passwords
|
||
|
|
||
|
Some apps send password by email
|
||
|
- Sending clear text of the user's password should not be possible if password is stored securely
|
||
|
- Sending passwords over insecure channels can be exploited via a man in the middle attack
|
||
|
- Many users sync their emails across multiple devices increasing the attack surface
|
||
|
|
||
|
Resetting Passwords via URL
|
||
|
- Less secure ways use a URL with an easily guessable parameter: http://vulnerable-website.com/reset-password?user=victim-user
|
||
|
- Better practice is to generate a high-entropy, hard to guess token and create the URL based on that http://vulnerable-website.com/reset-passwordtoken=a0ba0d1cb3b63d13822572fcff1a241895d893f659164d4cc550b421ebdd48a8
|
||
|
§ Some websites still fail to validate the token so an attacker can visit the
|
||
|
§ Some website also generate token via time base or via order... This mean you can try to guest the token value. (Ex: reset your own password and the very next second reset the victim password. If your reset link is ex: .com/reset/54349878/, the reset link of your victim could be .com/reset/54349879)
|
||
|
|
||
|
- exploitation example
|
||
|
- Exploit Steps
|
||
|
1. With Burp running, click the Forgot your password? link and enter your own username.
|
||
|
|
||
|
2. Click the Email client button to view the password reset email that was sent. Click the link in the email and resetyour password to whatever you want.
|
||
|
|
||
|
3. In Burp, go to Proxy > HTTP history and study the requests and responses for the password reset functionality. Observe that the reset token is provided as a URL query parameter in the reset email. Notice that when you submit your new password, the POST /forgot-password?temp-forgot-password-token request contains the username as hidden input. Send this request to Burp Repeater.
|
||
|
|
||
|
4. In Burp Repeater, observe that the password reset functionality still works even if you delete the value of the temp-forgot-password-token parameter in both the URL and request body. This confirms that the token is not being checked when you submit the new password.
|
||
|
|
||
|
5. In the browser, request a new password reset and change your password again. Send the POST /forgot-password?temp-forgot-password-token request to Burp Repeater again.
|
||
|
|
||
|
6. In Burp Repeater, delete the value of the temp-forgot-password-token parameter in both the URL and request body. Change the username parameter to carlos. Set the new password to whatever you want and send the request.
|
||
|
|
||
|
7. In the browser, log in to Carlos's account using the new password you just set. Click My account to solve the lab.
|
||
|
|