🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • 1. Password Reset Token Leak Via Referrer
  • 2. Sending an array of email addresses instead of a single email address.
  • 3. Bruteforcing OTP for Reseting Password.
  • 4. Full Account Takeover via Changing Email And Password of any User through API Parameters
  • 5. Response manipulation: Replace Bad Response With Good One
  1. Password Reset Functionality

Password_Reset_Flaws

1. Password Reset Token Leak Via Referrer

  • The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed

Exploitation:

    Request password reset to your email address
    Click on the password reset link
    Dont change password
    Click any 3rd party websites(eg: Facebook, twitter)
    Intercept the request in burpsuite proxy
    Check if the referer header is leaking password reset token.

2. Sending an array of email addresses instead of a single email address.

  • In this attack the The attacker can send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address and It could lead to full account takeover.

POST https://example.com/api/v1/password_reset HTTP/1.1
Original Request Body:
{“email_address”:”xyz@gmail.com”}
Modified Request Body:
{“email_address”:[“admin@breadcrumb.com”,”attacker@evil.com”]}

  • In this way, the password reset link get send to both victim as well as attacker. And the attacker can use it to gain Full account Takeover.

3. Bruteforcing OTP for Reseting Password.

  • Now, In case The password reset functionality of application is based on OTP validation.

  • Many program accepts No rate limit as acceptable risk. So, Bruteforcing OTP is worth trying.

  • You can reset the password of an account by intercepting the request for OTP validation and bruteforcing the 6 digit number.

  • Using this, it is possible to change and reset the password of any account, by changing the user data and brute-forcing the reset OTP.

Exploitation:

      1. Start the Burp Suite and Intercept the password reset request
      2.Send to intruder
      3.Use null payload

4. Full Account Takeover via Changing Email And Password of any User through API Parameters

Exploitation:

    1. Attacker have to login with their account and Go to the Change password function
    2. Start the Burp Suite and Intercept the request
    3. After intercepting the request sent it to repeater and modify parameters Email and Password
      POST /api/changepass
      [...]
      ("form": {"email":"victim@email.tld","password":"12345678"})

5. Response manipulation: Replace Bad Response With Good One

  • Look for Request and Response like these

HTTP/1.1 401 Unauthorized
(“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)

  • Change Response

HTTP/1.1 200 OK
(“message”:”success”,”statusCode:200,”errorDescription”:”Success”)
PreviousAccount_Takeover_By_Password_Reset_FunctionalityNextRate Limit Flaws

Last updated 9 months ago