Forgot/Reset Password Test Cases
A brief note on all the tests you can try on forgot/reset password functionality
1. Header Injection
Do try below checks while generating reset password link
Manipulating Host Header
If there is any checks on original host header try bypassing it by adding another host value
Padding Custom Header to Request
>Reference: https://medium.com/bugbountywriteup/fun-with-header-and-forget-password-with-a-twist-af095b426fb2
2. IDN Homograph Attack [Unicode Normalization]
In this attack, we are taking advantage of the fact that different characters look a like in a different alphabet For example, a regular user of example.com may be lured to click a link where the Latin character 'a' is replaced with the Cyrillic character 'а'.
Attack Scenario
Assume victim has been created an account with email
abc@gmail.comNow as an attacker while generating reset password replace character
ainabc@gmail.comwith a similar letter from different alphabets likeá.There are the possibilities that, at the time of reset link generation if server fails to understand the replaced character it may convert it into different string
ex: abc@gmáil.com --> abc@xn—gmil-6na.comThen Reset link will be sent to
abc@xn-gmil-6na.com
Real-Time Attack
Create an account with email
test@gmail.com.burpcollaborator.netNow generate reset password link for email
test@gmáil.com.burpcollaborator.netOnce you receive password reset mail over collaborator, look at the domain for any changes in replaced character.
3. Cryptography Attack
Case 1
Generate the reset link for an account and copy reset token from the link.
Check whether it is matching with any hash algorithm.
Use the Hashmash tool to generate valid reset token by trying various combinations.
ex: [timestamp|email|timestamp]
Case 2
While generating reset links, use two aliases of an email and try to see what bits are different in the reset token.
ex: test+1@gmail.com and test+2@gmail.comNote: If you append a
+sometextto your email, it actually creates an alias of your email and you will receive all the emails on your actual emailCheck Reset token and try to see if any public encoding library/weak encryption is used.
>Reference: https://www.notsosecure.com/hacking-crypto-fun-profit/
4. Token Disclosure in Request/Response
While generating a password link always look at the request and its response for any reset token disclosure.
What if reset token is hard coded somewhere in js or if it disclosed in other requests/response, to identify the same follow below steps quoted by @hakluke
Set up burp suite in browser-1.
Do a password reset request in browser-1.
Open the password reset email in browser-2 and copy the token.
Search your Burp history for the token.
5. Tampering User Identification Parameter
Generate password reset link for any user account.
Access the link, feed the password, and submit the form.
Capture the request and observe for any injection point, if there is an email or any unique identification parameter for which the user's password will be updated.
6. Email Tampering
While generating reset link for victim user, you can try below injections to get reset link on attacker email.
7. Reset Link Expiration
Check whether the link is getting expired or not, once it is used.
Thanks for reading:)
Follow me on twitter @0xAyub for more notes
Last updated