handbook/tools/3.Web-Hacking/3.Business-Logic/Authentification-Vulnerability/Notes/4.Resetting-Passwords.md
2024-08-31 01:07:22 +02:00

2.5 KiB

Resetting User Passwords

Some apps send password by email - Sending clear text of the user's password should not be possible if password is stored securely - Sending passwords over insecure channels can be exploited via a man in the middle attack - Many users sync their emails across multiple devices increasing the attack surface

Resetting Passwords via URL - Less secure ways use a URL with an easily guessable parameter: http://vulnerable-website.com/reset-password?user=victim-user - Better practice is to generate a high-entropy, hard to guess token and create the URL based on that http://vulnerable-website.com/reset-passwordtoken=a0ba0d1cb3b63d13822572fcff1a241895d893f659164d4cc550b421ebdd48a8 § Some websites still fail to validate the token so an attacker can visit the § Some website also generate token via time base or via order... This mean you can try to guest the token value. (Ex: reset your own password and the very next second reset the victim password. If your reset link is ex: .com/reset/54349878/, the reset link of your victim could be .com/reset/54349879)

  • exploitation example
    • Exploit Steps
    1. With Burp running, click the Forgot your password? link and enter your own username.

    2. Click the Email client button to view the password reset email that was sent. Click the link in the email and resetyour password to whatever you want.

    3. In Burp, go to Proxy > HTTP history and study the requests and responses for the password reset functionality. Observe that the reset token is provided as a URL query parameter in the reset email. Notice that when you submit your new password, the POST /forgot-password?temp-forgot-password-token request contains the username as hidden input. Send this request to Burp Repeater.

    4. In Burp Repeater, observe that the password reset functionality still works even if you delete the value of the temp-forgot-password-token parameter in both the URL and request body. This confirms that the token is not being checked when you submit the new password.

    5. In the browser, request a new password reset and change your password again. Send the POST /forgot-password?temp-forgot-password-token request to Burp Repeater again.

    6. In Burp Repeater, delete the value of the temp-forgot-password-token parameter in both the URL and request body. Change the username parameter to carlos. Set the new password to whatever you want and send the request.

    7. In the browser, log in to Carlos's account using the new password you just set. Click My account to solve the lab.