Password recovery vulnerability of foreign public testing

The source of the original text is ：

Password recovery vulnerability of foreign public testing - The prophet community (aliyun.com)

Preface

Recently, I have been reading articles of foreign public beta , I also visit occasionally hackerone, It is found that there are many logical loopholes in the published loopholes , After all, hackerone After the vulnerability was submitted to the court, it was given us dollars , It's still very tempting . Password retrieval function is also an old-fashioned function , I also wrote an article about password retrieval some time ago , I found that the summary is not very comprehensive . Take this opportunity to show foreign public testing examples, hoping to have a more comprehensive summary of this vulnerability

One The password reset link has not expired

When the user requests to change the password , You will get a password reset link to reset your password , The link should expire after a period of time . If it doesn't expire, you can use the password reset link multiple times to reset your password , There should be a problem with the password reset function .
stay hackerone I've been looking for , In most cases, a password reset link is requested first , Then change the mailbox that gets the reset link , It is found that the reset link has not expired and can still be used , This is also an idea . But it's a little different from the password reset link I know that hasn't expired , Generally speaking, the password reset link that has not expired basically means that the password reset link can be used again after using the reset password link, or after obtaining the password reset link again, the previously obtained password reset link has not expired, or the password reset link has expired for a long time , Everybody knows what it means , There are no specific examples

Two There is no rate limit for password reset

When we get the link to retrieve the password through email or SMS, the server has no strict or no limit on the rate of getting the link , An attacker can send a large number of password reset links through replay , Thus, SMS bombing or mailbox bombing loopholes are generated , In daily work, you can actually try in email Or add special characters to the phone number, such as Space +86 ? \ Wait to get around that email Or phone number restrictions . Routine operation , Many masters have also analyzed the reasons , Don't talk about it here .
Replay request package , Get a lot of emails to reset your password :

3、 ... and Denial of service when entering a long password

The password is usually 8-12-24 Bits or at most 48 position . If there is no word limit when setting the password , When you change your password or create an account to detect your password, a long string causes a denial of service attack . In short, this is a risk point , When testing, you can pay attention to , In case a system error causes overflow of sensitive data that day , That's not just a risk point .

Four Enumerate users through the password reset page

That's obvious , Some websites will remind you whether the user name or email you entered is correct , The website may be protected during login , I may have forgotten the password . In short, don't miss every place where you can collect information .
This is the return information of a repaired website , It doesn't tell you whether you sent an email , It can also be regarded as a means of avoiding . This loophole can be large or small , In short, we should balance security and user experience .

5、 ... and host Head poisoning

The attacker modifies the target's host The header changes the domain name of the password reset link to its own domain name . In fact, this is also a very common vulnerability , The email was still sent to the victim's mailbox , If the victim doesn't notice, click the link , The request record can be viewed in the record of the website controlled by the attacker , Then the password of any user can be reset after splicing into the correct domain name
change host head :

You can see in the email that the domain name of the password reset link has been modified to the domain name controlled by the attacker

6、 ... and referer Disclose password reset token

referer The request header contains the address of the previous web page , So maybe when we open the reset link page , Click another link on the reset link page to bring referer, Thus revealing the password reset link .
Open the password reset page , Add the email and click send

Click the reset link , Get reset page , Click on any application provided on the web （twitter、facebook、linkedin）, Use burp Intercept request

You can see in the Referer The password reset link was leaked in

7、 ... and Weak voucher problem

If the password reset link contains credentials that can be easily guessed by the attacker , Then the reset password link is not secure .
The simplest and crudest form , Strong visual impact , Direct credentials are user names , By listing the user name existing in the system, any user password can be reset

http://example.com/reset-password?user=victim-user

One Bugcrowd Example , The certificate to reset the password is only the last 10 Digit number , It has nothing to do with the previous string of random characters , Do you feel that the enumeration of vouchers is much lower when you look , Go to the last few to see if you can list the available password reset links , Many people see that a large number of random codes have given up first , If you think about it one more step, maybe resetting the password is related to the final parameters , Isn't that the bonus .

https://redacted.com/update-password/12d52catcbc344ec-9871-85ac6390d863/1621264272

8、 ... and The certificate is leaked

The program inadvertently revealed the password reset token And other important vouchers , As a result, the password can be reset arbitrarily
When requesting a password reset , When a reset request link is sent, a token value :

When going through the process and resetting the password, I found that token It is also when resetting the password token:

So as long as we enter the existing user name , Then you will get a password that can be used to reset your password when requesting token So as to realize any password reset .

Nine Reset password using email parameters

When the victim requests a password reset link , We can try the following parameter operations , An attacker can get the victim's password reset link

 One   Two parameters ( also called HPP/HTTP Parameter pollution )
[email protected]&[email protected]
 Two  json surface 
{"email":["[email protected]","[email protected]"]}
 3、 ... and   Use separator 
[email protected],[email protected]
[email protected]%[email protected]
[email protected]|[email protected]
 Four  
[email protected]%0a%0dcc:[email protected]

payload:{"email":["[email protected]","[email protected]"]}

Ten Replace the information in the returned package
Sometimes the jump of changing password is controlled by the front end , If the content of the returned package is changed to the correct content , For example, changing the return package code can bypass the restrictions and jump to the password change step , If the permission verification is not strict, you can change the user password at will
The user needs to conduct security authentication after entering the user name , Just type in the answer , The following will be returned

HTTP/1.1 401 Unauthorized
("message":"unsuccessful","statusCode:403,"errorDescription":"Unsuccessful")

Construct the correct return package according to the return package :

("message":"success","statusCode:200,"errorDescription":"Success")

Jump to the interface of changing password , Change the password

It is found that the password has been modified successfully , If you change the password here, you must try whether it is successful , Now most of the station front-end verification can be skipped , But in the end, changing the password is unsuccessful .

summary

In fact, ideas are emerging in endlessly , This can only be regarded as the most basic idea . I just hope you won't be blind when testing , No clue , Discover Sao operations on top of basic operations , This should be our pursuit .