Reset/Forgotten Password Bypass

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Password Reset Token Leak Via Referrer

The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.
Impact: Potential account takeover via Cross-Site Request Forgery (CSRF) attacks.
Exploitation: To check if a password reset token is leaking in the referer header, request a password reset to your email address and click the reset link provided. Do not change your password immediately. Instead, navigate to a third-party website (like Facebook or Twitter) while intercepting the requests using Burp Suite. Inspect the requests to see if the referer header contains the password reset token, as this could expose sensitive information to third parties.
References:
HackerOne Report 342693
HackerOne Report 272379
Password Reset Token Leak Article

Password Reset Poisoning

Attackers may manipulate the Host header during password reset requests to point the reset link to a malicious site.
Impact: Leads to potential account takeover by leaking reset tokens to attackers.
Mitigation Steps:
Validate the Host header against a whitelist of allowed domains.
Use secure, server-side methods to generate absolute URLs.
Patch: Use $_SERVER['SERVER_NAME'] to construct password reset URLs instead of $_SERVER['HTTP_HOST'].
References:
Acunetix Article on Password Reset Poisoning

Password Reset By Manipulating Email Parameter

Attackers can manipulate the password reset request by adding additional email parameters to divert the reset link.

Add attacker email as second parameter using &

POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com

Ongeza barua pepe ya mshambuliaji kama parameter ya pili ukitumia %20

POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com

Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia |

POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com

Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia cc

POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"

Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia bcc

POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"

Ongeza barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia ,

POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"

Ongeza barua pepe ya mshambuliaji kama parameter ya pili katika array ya json

POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}

Hatua za Kupunguza:
Pitia na uthibitishe vigezo vya barua pepe upande wa seva.
Tumia taarifa zilizopangwa au maswali yenye vigezo ili kuzuia mashambulizi ya kuingiza.
Marejeo:
https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be
https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/
https://twitter.com/HusseiN98D/status/1254888748216655872

Kubadilisha Barua Pepe na Nywila ya Mtumiaji yeyote kupitia Vigezo vya API

Washambuliaji wanaweza kubadilisha vigezo vya barua pepe na nywila katika maombi ya API ili kubadilisha akauti.

POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})

Hatua za Kupunguza:
Hakikisha uthibitisho mkali wa vigezo na ukaguzi wa uthibitisho.
Tekeleza ufuatiliaji na kumbukumbu thabiti ili kugundua na kujibu shughuli za kushuku.
Marejeo:
Uchukuaji Kamili wa Akaunti kupitia Urekebishaji wa Vigezo vya API

Hakuna Kizuizi cha Kiwango: Ujumbe wa Barua Pepe

Ukosefu wa kizuizi cha kiwango kwenye maombi ya kurekebisha nenosiri kunaweza kusababisha ujumbe wa barua pepe, ukimzidisha mtumiaji kwa barua pepe za kurekebisha.
Hatua za Kupunguza:
Tekeleza kizuizi cha kiwango kulingana na anwani ya IP au akaunti ya mtumiaji.
Tumia changamoto za CAPTCHA kuzuia matumizi ya kiotomatiki.
Marejeo:
Ripoti ya HackerOne 280534

Jifunze Jinsi Token ya Kurekebisha Nenosiri Inavyotengenezwa

Kuelewa muundo au njia nyuma ya uzalishaji wa token kunaweza kusababisha kutabiri au kujaribu nguvu token. Chaguzi kadhaa:
Kulingana na Wakati
Kulingana na UserID
Kulingana na barua pepe ya Mtumiaji
Kulingana na Jina la Kwanza na Jina la Mwisho
Kulingana na Tarehe ya Kuzaliwa
Kulingana na Cryptography
Hatua za Kupunguza:
Tumia mbinu thabiti za kisasa za cryptographic kwa ajili ya uzalishaji wa token.
Hakikisha kutokuwa na utabiri na urefu wa kutosha ili kuzuia utabiri.
Zana: Tumia Burp Sequencer kuchambua kutokuwa na utabiri kwa token.

UUID Inayoweza Kukisiwa

Ikiwa UUIDs (toleo la 1) zinaweza kukisiwa au kutabiriwa, washambuliaji wanaweza kujaribu nguvu ili kuzalisha token za kurekebisha halali. Angalia:

UUID Insecurities

Hatua za Kupunguza:
Tumia toleo la GUID 4 kwa ajili ya kutokuwa na utabiri au tekeleza hatua za ziada za usalama kwa matoleo mengine.
Zana: Tumia guidtool kwa ajili ya kuchambua na kuzalisha GUIDs.

Urekebishaji wa Majibu: Badilisha Jibu Mbaya na Jibu Nzuri

Kubadilisha majibu ya HTTP ili kupita ujumbe wa makosa au vizuizi.
Hatua za Kupunguza:
Tekeleza ukaguzi wa upande wa seva ili kuhakikisha uadilifu wa majibu.
Tumia njia salama za mawasiliano kama HTTPS ili kuzuia mashambulizi ya mtu katikati.
Marejeo:
Kosa Muhimu katika Tukio la Bug Bounty la Moja kwa Moja

Kutumia Token Iliyokwisha Muda

Kuangalia ikiwa token zilizokwisha muda zinaweza kutumika bado kwa ajili ya kurekebisha nenosiri.
Hatua za Kupunguza:
Tekeleza sera kali za kumalizika kwa token na kuthibitisha kumalizika kwa token upande wa seva.

Token ya Kurekebisha Nenosiri kwa Njia ya Nguvu

Kujaribu kujaribu nguvu token ya kurekebisha kwa kutumia zana kama Burpsuite na IP-Rotator ili kupita vizuizi vya kiwango kulingana na IP.
Hatua za Kupunguza:
Tekeleza kizuizi thabiti cha kiwango na mifumo ya kufunga akaunti.
Fuata shughuli za kushuku zinazoweza kuashiria mashambulizi ya nguvu.

Jaribu Kutumia Token Yako

Kuangalia ikiwa token ya kurekebisha ya mshambuliaji inaweza kutumika pamoja na barua pepe ya mwathirika.
Hatua za Kupunguza:
Hakikisha kwamba token zimefungwa kwa kikao cha mtumiaji au sifa nyingine maalum za mtumiaji.

Ubatilishaji wa Kikao katika Kutoka/Kurekebisha Nenosiri

Hakikisha kwamba vikao vinabatilishwa wakati mtumiaji anapotoka au kurekebisha nenosiri yao.
Hatua za Kupunguza:
Tekeleza usimamizi mzuri wa vikao, kuhakikisha kwamba vikao vyote vinabatilishwa wakati wa kutoka au kurekebisha nenosiri.

Ubatilishaji wa Kikao katika Kutoka/Kurekebisha Nenosiri

Token za kurekebisha zinapaswa kuwa na muda wa kumalizika baada ya hapo zinakuwa batili.
Hatua za Kupunguza:
Weka muda wa kumalizika unaofaa kwa token za kurekebisha na utekekeleze kwa ukali upande wa seva.

Marejeo

https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token

Jiunge na HackenProof Discord server ili kuwasiliana na hackers wenye uzoefu na wawindaji wa bug bounty!

Maoni ya Udukuzi Shiriki na maudhui yanayochunguza msisimko na changamoto za udukuzi

Habari za Udukuzi kwa Wakati Halisi Baki na habari za kisasa katika ulimwengu wa udukuzi kupitia habari na maoni ya wakati halisi

Matangazo ya Hivi Punde Baki na habari kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa

Jiunge nasi kwenye Discord na uanze kushirikiana na hackers bora leo!

Jifunze na fanya mazoezi ya Udukuzi wa AWS:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya Udukuzi wa GCP: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousRegular expression Denial of Service - ReDoS NextSAML Attacks

Last updated 7 days ago