当前位置:网站首页>Password recovery vulnerability of foreign public testing
Password recovery vulnerability of foreign public testing
2022-07-08 00:41:00 【yggcwhat】
The source of the original text is :
Password recovery vulnerability of foreign public testing - The prophet community (aliyun.com)
Preface
Recently, I have been reading articles of foreign public beta , I also visit occasionally hackerone, It is found that there are many logical loopholes in the published loopholes , After all, hackerone After the vulnerability was submitted to the court, it was given us dollars , It's still very tempting . Password retrieval function is also an old-fashioned function , I also wrote an article about password retrieval some time ago , I found that the summary is not very comprehensive . Take this opportunity to show foreign public testing examples, hoping to have a more comprehensive summary of this vulnerability
One The password reset link has not expired
When the user requests to change the password , You will get a password reset link to reset your password , The link should expire after a period of time . If it doesn't expire, you can use the password reset link multiple times to reset your password , There should be a problem with the password reset function .
stay hackerone I've been looking for , In most cases, a password reset link is requested first , Then change the mailbox that gets the reset link , It is found that the reset link has not expired and can still be used , This is also an idea . But it's a little different from the password reset link I know that hasn't expired , Generally speaking, the password reset link that has not expired basically means that the password reset link can be used again after using the reset password link, or after obtaining the password reset link again, the previously obtained password reset link has not expired, or the password reset link has expired for a long time , Everybody knows what it means , There are no specific examples
Two There is no rate limit for password reset
When we get the link to retrieve the password through email or SMS, the server has no strict or no limit on the rate of getting the link , An attacker can send a large number of password reset links through replay , Thus, SMS bombing or mailbox bombing loopholes are generated , In daily work, you can actually try in email Or add special characters to the phone number, such as Space +86 ? \ Wait to get around that email Or phone number restrictions . Routine operation , Many masters have also analyzed the reasons , Don't talk about it here .
Replay request package , Get a lot of emails to reset your password :
3、 ... and Denial of service when entering a long password
The password is usually 8-12-24 Bits or at most 48 position . If there is no word limit when setting the password , When you change your password or create an account to detect your password, a long string causes a denial of service attack . In short, this is a risk point , When testing, you can pay attention to , In case a system error causes overflow of sensitive data that day , That's not just a risk point .
Four Enumerate users through the password reset page
That's obvious , Some websites will remind you whether the user name or email you entered is correct , The website may be protected during login , I may have forgotten the password . In short, don't miss every place where you can collect information .
This is the return information of a repaired website , It doesn't tell you whether you sent an email , It can also be regarded as a means of avoiding . This loophole can be large or small , In short, we should balance security and user experience .
5、 ... and host Head poisoning
The attacker modifies the target's host The header changes the domain name of the password reset link to its own domain name . In fact, this is also a very common vulnerability , The email was still sent to the victim's mailbox , If the victim doesn't notice, click the link , The request record can be viewed in the record of the website controlled by the attacker , Then the password of any user can be reset after splicing into the correct domain name
change host head :
You can see in the email that the domain name of the password reset link has been modified to the domain name controlled by the attacker
6、 ... and referer Disclose password reset token
referer The request header contains the address of the previous web page , So maybe when we open the reset link page , Click another link on the reset link page to bring referer, Thus revealing the password reset link .
Open the password reset page , Add the email and click send
Click the reset link , Get reset page , Click on any application provided on the web (twitter、facebook、linkedin), Use burp Intercept request
You can see in the Referer The password reset link was leaked in
7、 ... and Weak voucher problem
If the password reset link contains credentials that can be easily guessed by the attacker , Then the reset password link is not secure .
The simplest and crudest form , Strong visual impact , Direct credentials are user names , By listing the user name existing in the system, any user password can be reset
http://example.com/reset-password?user=victim-user
One Bugcrowd Example , The certificate to reset the password is only the last 10 Digit number , It has nothing to do with the previous string of random characters , Do you feel that the enumeration of vouchers is much lower when you look , Go to the last few to see if you can list the available password reset links , Many people see that a large number of random codes have given up first , If you think about it one more step, maybe resetting the password is related to the final parameters , Isn't that the bonus .
https://redacted.com/update-password/12d52catcbc344ec-9871-85ac6390d863/1621264272
8、 ... and The certificate is leaked
The program inadvertently revealed the password reset token And other important vouchers , As a result, the password can be reset arbitrarily
When requesting a password reset , When a reset request link is sent, a token value :
When going through the process and resetting the password, I found that token It is also when resetting the password token:
So as long as we enter the existing user name , Then you will get a password that can be used to reset your password when requesting token So as to realize any password reset .
Nine Reset password using email parameters
When the victim requests a password reset link , We can try the following parameter operations , An attacker can get the victim's password reset link
One Two parameters ( also called HPP/HTTP Parameter pollution ) [email protected]&[email protected] Two json surface {"email":["[email protected]","[email protected]"]} 3、 ... and Use separator [email protected],[email protected] [email protected]%[email protected] [email protected]|[email protected] Four [email protected]%0a%0dcc:[email protected]
payload:{"email":["[email protected]","[email protected]"]}
Ten Replace the information in the returned package
Sometimes the jump of changing password is controlled by the front end , If the content of the returned package is changed to the correct content , For example, changing the return package code can bypass the restrictions and jump to the password change step , If the permission verification is not strict, you can change the user password at will
The user needs to conduct security authentication after entering the user name , Just type in the answer , The following will be returned
HTTP/1.1 401 Unauthorized ("message":"unsuccessful","statusCode:403,"errorDescription":"Unsuccessful")
Construct the correct return package according to the return package :
("message":"success","statusCode:200,"errorDescription":"Success")
Jump to the interface of changing password , Change the password
It is found that the password has been modified successfully , If you change the password here, you must try whether it is successful , Now most of the station front-end verification can be skipped , But in the end, changing the password is unsuccessful .
summary
In fact, ideas are emerging in endlessly , This can only be regarded as the most basic idea . I just hope you won't be blind when testing , No clue , Discover Sao operations on top of basic operations , This should be our pursuit .
边栏推荐
- 取消select的默认样式的向下箭头和设置select默认字样
- Deep dive kotlin synergy (XXII): flow treatment
- 某马旅游网站开发(对servlet的优化)
- ABAP ALV LVC template
- 华泰证券官方网站开户安全吗?
- 腾讯安全发布《BOT管理白皮书》|解读BOT攻击,探索防护之道
- Development of a horse tourism website (optimization of servlet)
- Lecture 1: the entry node of the link in the linked list
- 2022-07-07:原本数组中都是大于0、小于等于k的数字,是一个单调不减的数组, 其中可能有相等的数字,总体趋势是递增的。 但是其中有些位置的数被替换成了0,我们需要求出所有的把0替换的方案数量:
- SQL knowledge summary 004: Postgres terminal command summary
猜你喜欢
基于卷积神经网络的恶意软件检测方法
The standby database has been delayed. Check that the MRP is wait_ for_ Log, apply after restarting MRP_ Log but wait again later_ for_ log
Development of a horse tourism website (realization of login, registration and exit function)
[研发人员必备]paddle 如何制作自己的数据集,并显示。
【GO记录】从零开始GO语言——用GO语言做一个示波器(一)GO语言基础
Course of causality, taught by Jonas Peters, University of Copenhagen
Langchao Yunxi distributed database tracing (II) -- source code analysis
Application practice | the efficiency of the data warehouse system has been comprehensively improved! Data warehouse construction based on Apache Doris in Tongcheng digital Department
国外众测之密码找回漏洞
Huawei switch s5735s-l24t4s-qa2 cannot be remotely accessed by telnet
随机推荐
Cause analysis and solution of too laggy page of [test interview questions]
攻防世界Web进阶区unserialize3题解
Interface test advanced interface script use - apipost (pre / post execution script)
Sqlite数据库存储目录结构邻接表的实现2-目录树的构建
C language 001: download, install, create the first C project and execute the first C language program of CodeBlocks
Where is the big data open source project, one-stop fully automated full life cycle operation and maintenance steward Chengying (background)?
Su embedded training - day4
Solution to prompt configure: error: curses library not found when configuring and installing crosstool ng tool
The standby database has been delayed. Check that the MRP is wait_ for_ Log, apply after restarting MRP_ Log but wait again later_ for_ log
基于人脸识别实现课堂抬头率检测
攻防演练中沙盘推演的4个阶段
How can CSDN indent the first line of a paragraph by 2 characters?
Zhou Hongqi, 52 ans, est - il encore jeune?
应用实践 | 数仓体系效率全面提升!同程数科基于 Apache Doris 的数据仓库建设
Single machine high concurrency model design
Reentrantlock fair lock source code Chapter 0
51 communicates with the Bluetooth module, and 51 drives the Bluetooth app to light up
Course of causality, taught by Jonas Peters, University of Copenhagen
Qt不同类之间建立信号槽,并传递参数
动态库基本原理和使用方法,-fPIC 选项的来龙去脉