✏️
Bug Bounty Notes
  • Forgot/Reset Password Test Cases
  • Approaching GraphQL End Points
Powered by GitBook
On this page
  • 1. Header Injection
  • 2. IDN Homograph Attack [Unicode Normalization]
  • 3. Cryptography Attack
  • 4. Token Disclosure in Request/Response
  • 5. Tampering User Identification Parameter
  • 6. Email Tampering
  • 7. Reset Link Expiration

Was this helpful?

Forgot/Reset Password Test Cases

A brief note on all the tests you can try on forgot/reset password functionality

NextApproaching GraphQL End Points

Last updated 4 years ago

Was this helpful?

1. Header Injection

Do try below checks while generating reset password link

Manipulating Host Header

If there is any checks on original host header try bypassing it by adding another host value

Host: victim.com
Host: attacker.com

Padding Custom Header to Request

X-Forwarded-For: <attacker.com> 
X-Forwarded-Host: <attacker.com>
X-Client-IP: <attacker.com>
X-Originating-IP: <attacker.com>

>Reference:

2. IDN Homograph Attack [Unicode Normalization]

In this attack, we are taking advantage of the fact that different characters look a like in a different alphabet For example, a regular user of example.com may be lured to click a link where the Latin character 'a' is replaced with the Cyrillic character 'а'.

Attack Scenario

  • Assume victim has been created an account with email abc@gmail.com

  • Now as an attacker while generating reset password replace character a in abc@gmail.comwith a similar letter from different alphabets like á.

  • There are the possibilities that, at the time of reset link generation if server fails to understand the replaced character it may convert it into different string ex: abc@gmáil.com --> abc@xn—gmil-6na.com

  • Then Reset link will be sent to abc@xn-gmil-6na.com

Real-Time Attack

  • Create an account with email test@gmail.com.burpcollaborator.net

  • Now generate reset password link for email test@gmáil.com.burpcollaborator.net

  • Once you receive password reset mail over collaborator, look at the domain for any changes in replaced character.

3. Cryptography Attack

Case 1

  • Generate the reset link for an account and copy reset token from the link.

  • Check whether it is matching with any hash algorithm.

Case 2

  • While generating reset links, use two aliases of an email and try to see what bits are different in the reset token. ex: test+1@gmail.com and test+2@gmail.com

    Note: If you append a +sometext to your email, it actually creates an alias of your email and you will receive all the emails on your actual email

  • Check Reset token and try to see if any public encoding library/weak encryption is used.

4. Token Disclosure in Request/Response

While generating a password link always look at the request and its response for any reset token disclosure.

  • Set up burp suite in browser-1.

  • Do a password reset request in browser-1.

  • Open the password reset email in browser-2 and copy the token.

  • Search your Burp history for the token.

5. Tampering User Identification Parameter

  • Generate password reset link for any user account.

  • Access the link, feed the password, and submit the form.

  • Capture the request and observe for any injection point, if there is an email or any unique identification parameter for which the user's password will be updated.

6. Email Tampering

While generating reset link for victim user, you can try below injections to get reset link on attacker email.

#Parameter Pollution
email=victim@gmail.com&email=attacker@gmail.com

#CRLF and SMTP Inejciton
email=victim@gmail.com%0a%0dcc:attacker@gmail.com

#Padding in Json Body
{"email":["victim@gmail.com","attacker@gmail.com"]}

#Using Seperators
email=victim@gmail.com,attacker@gmail.com
email=victim@gmail.com|attacker@gmail.com
email=victim@gmail.com%20attacker@gmail.com

7. Reset Link Expiration

Check whether the link is getting expired or not, once it is used.

Thanks for reading:)

>Reference:

>Reference:

Use the tool to generate valid reset token by trying various combinations.ex: [timestamp|email|timestamp]

>Reference:

>Reference:

What if reset token is hard coded somewhere in js or if it disclosed in other requests/response, to identify the same follow below steps quoted by

Follow me on twitter for more notes

https://medium.com/bugbountywriteup/fun-with-header-and-forget-password-with-a-twist-af095b426fb2
https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization-wp.pdf
https://medium.com/bugbountywriteup/how-i-was-able-to-change-victims-password-using-idn-homograph-attack-587111843aff
Hashmash
https://www.notsosecure.com/hacking-crypto-fun-profit/
https://medium.com/bugbountywriteup/weak-cryptography-in-password-reset-to-full-account-takeover-fc61c75b36b9
@hakluke
@0xAyub