so we are going to make a small discuss on how this Password Reset vulnerability may lead you to earn $$$ :) .All these methods are founded on many sites also good tricks that you can try during your bug bounty .
Password Reset Vulnerability For Bug Hunters
as you click on forgot password button you will be asked for registered email id to which a link will be sent for password reset.
here you can try the normal XSS,CSRF...etc attack so i won't be discussing that i will talk about something different .
so when you submit the request (Email id + cpacha may be) then you will get a mail containing a url like click here to reset/change password.
there are multiple kinda of url you may get i will discuss few of them.
Case 1: Vulnerability on url with a token email id or username
https://site.com/members/resetpassword/username=xyz&emailid=abc@def@pqr.com&token=xsdf.234sdfdssd323
So here you can see the user name and email id are in the url itself in some case you will get username/email id both encrypted.
there you can try get the encoding (mostly it will be either base 64 or md5 ).then you can try replace the email id and username with your desired email id/username (encrypted/ un-encrypted )if that work then congo!! you have your bounty on your pocket as some time server accept the dynamic created token and check for the registed email id-user name at database end and says enter new password which ended up giving you $$$ .
but some time your luck not that good and design of application is strong enough to check for dynamic token with mapped user.
Case 2: Vulnerability in reference
https://site.com/members/resetpassword/username=xyz&emailid=abc@def@pqr.com&token=xsdf.234sdfdssd323
This is quite interesting when ever you clicked on link like this and intercept the request on your browser (burpsuite or any proxy tool) you will see some thing like this
GET /xyz HTTP/1.1
Host: abcd.com
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://site.com/users/password/edit?reset_password_token=HERE_IS_THE_VALUE_OF_RESET_PASSWORD_TOKEN
Connection: keep-alive
Then you can say report this as a security issue as an minimum information disclosure.
n few cases you will find
Referer: https://site.com/users/password/edit?mail=admin@abc.com&password=token&action=reset
that some email id or admin or superuser name/ email id there also you can say it to security issue and get $$$ on your pocket.
Case 3: Poor Encryption Breaking (Thanks To Ajay Sing Negi For sharing this)
If you get a link like this
https://site.com/members/setup-password/14aaef7bb41ed6e4b46d09298ec1bfc6a483623d/
After clicking on this type of link you will get into a page where email filed with attacker@gmail.com email id and the 2 blank field to change the password.
Now while submitting request you can easily change the email id to victim mail id (can use proxy tool like burp suite )and change the password so if the validation is not there and if you have luck then you will end up resetting any victim password on that website and get a good bounty out of it.
Case 4: Analyzing password Reset Vulnerability
(again a good finding by Ajay singh negi)
So what if you get a link like this.
Attackers Email ID: attackeremailid@gmail.com and his password reset link:
http://testsite.com/reset-password/74o4s384549484c4k4v506t4d5a3e5n5k444j4g5j4o4c553l454h464m474/74q55426l4q5u5m5c4s5l5m5n5t2102fadb4bd021805624f06ea4c8e4d38
Here as you can guess there are some md5 encryption is there. on quick analyzing you can see 1st part in the password reset Url before '/' is password reset token and the second part is the md5 hash of the users email id in which the 1st 28 values (74q55426l4q5u5m5c4s5l5m5n5t2) are same for each users email ids and the remaining last values were different for each users email id as they were the users email id md5 hash value. So, the attacker can decrypt the email hash values easily using the online available md5 encrypters and decrypters like: http://md5decryption.com also sometimes some websites use base 64 encoding(or other encodings) which can also be easily decrypted using the online available base64 encoders and decoders like: http://ostermiller.org/calc/encode.html.
Attackers Email ID: attackeremailid@gmail.com md5 hash value:
102fadb4bd021805624f06ea4c8e4d38
Victims Email ID: victimemailid@gmail.com md5 hash value:
05ebb8fb6ec39f50d33e19cd5719084d
1st 28 values which is same for each users email id hash:
74q55426l4q5u5m5c4s5l5m5n5t2
Crafted Url to Reset the password of the Victims Email ID(i.e account)victimemailid@gmail.com:
http://testsite.com/reset-
password/74o4s384549484c4k4v506t4d5a3e5n5k444j4g5j4o4c553l454h464m474/74q55426l4q5u5m5c4s5l5m5n5t205ebb8fb6ec39f50d33e19cd5719084d
So in this way the attacker can Takeover on any users account.So if you find these kind of issue then you have money $$$ on your bank.
So these are some common wayz of detecting Vulnerability that is typically found on password reset function.
Also DO look out for click-jacking,CSRf,URL Redirection after password reset...etc IN password reset (even look out for log in / log out / automatically logged in after clicking the password recovery link also have a good impact ) to built the exploit scenario better and get more $$ Hope you like this please do leave a comment if you want some post like this which will help you in finding Bug-Bounty.
Post a Comment
Feel Free To Ask Your Query we Love To Answer