Account Takeover: Understanding Password Reset Vulnerabilities for Bug Bounty Hunters

0
83

As a bug bounty hunter, it is essential to have a thorough understanding of password reset vulnerabilities to identify and report them to companies for fixing. In this blog post, we will explore various password reset vulnerabilities and provide step-by-step instructions for exploiting them, along with examples, to help bug bounty hunters in their efforts.

Password Reset Feature

One common vulnerability is a password reset feature that can be exploited if the password reset token is leaked via the referer header. To exploit this vulnerability, the attacker intercepts the password reset request in Burp Suite proxy, checks if the referer header is leaking the password reset token, and then takes over the account by clicking on any third-party website.

Account Takeover Through Password Reset Poisoning

Another vulnerability is account takeover through password reset poisoning, where an attacker modifies the host and X-forwarded-host headers in the Burp Suite proxy and forwards the request with the modified header. By doing so, the attacker can look for a password reset URL based on the host header and take over the account.

Password Reset Via Email Parameter

The third vulnerability is password reset via email parameter, which involves parameter pollution, an array of emails, carbon copy, and separator. The attacker can use any of these methods to inject their email address in the password reset URL and take over the account.

IDOR on API Parameters

Insecure direct object reference (IDOR) is another vulnerability that can be exploited to take over an account by manipulating the API parameters. The attacker can login with their account, go to the change password feature, intercept the request in Burp Suite, and edit the parameters to change the victim’s email address and password.

Weak Password Reset Token

A weak password reset token is generated algorithmically, making it easy for the attacker to guess it. The attacker can try to determine if the token expires or if it is always the same, and use variables such as the timestamp, user ID, email of the user, first name and last name, date of birth, cryptography, number only, small token sequence, and token reuse to guess the password reset token.

Leaking Password Reset Token

Another vulnerability is leaking password reset token, where the attacker triggers a password reset request using the API/UI for a specific email address, inspects the server response, checks for resetToken, and then uses the token in the URL to reset the password and take over the account.

Password Reset Via Username Collision

Password reset via username collision, where the attacker registers on the system with a username identical to the victim’s username, but with white spaces inserted before and/or after the username. The attacker then requests a password reset with their malicious username, uses the token sent to their email to reset the victim’s password, and connects to the victim’s account with the new password.

Conclusion

As a bug bounty hunter, understanding password reset vulnerabilities is critical in identifying and reporting them to companies for fixing. By exploiting these vulnerabilities, an attacker can take over an account and access sensitive information. The vulnerabilities discussed in this blog post include password reset feature, account takeover through password reset poisoning, password reset via email parameter, IDOR on API parameters, weak password reset token, leaking password reset token, and password reset via username collision. By following the step-by-step instructions provided in this post, bug bounty hunters can identify and report these vulnerabilities and help companies improve their security.