search

Forgot/Reset Password Test Cases

A brief note on all the tests you can try on forgot/reset password functionality

hashtag
1. Header Injection

Do try below checks while generating reset password link

hashtag
Manipulating Host Header

If there is any checks on original host header try bypassing it by adding another host value

Host: victim.com
Host: attacker.com

hashtag
Padding Custom Header to Request

X-Forwarded-For: <attacker.com> 
X-Forwarded-Host: <attacker.com>
X-Client-IP: <attacker.com>
X-Originating-IP: <attacker.com>

>Reference: https://medium.com/bugbountywriteup/fun-with-header-and-forget-password-with-a-twist-af095b426fb2arrow-up-right

hashtag
2. IDN Homograph Attack [Unicode Normalization]

In this attack, we are taking advantage of the fact that different characters look a like in a different alphabet For example, a regular user of example.com may be lured to click a link where the Latin character 'a' is replaced with the Cyrillic character 'а'.

hashtag
Attack Scenario

  • Assume victim has been created an account with email abc@gmail.com

  • Now as an attacker while generating reset password replace character a in abc@gmail.comwith a similar letter from different alphabets like á.

  • There are the possibilities that, at the time of reset link generation if server fails to understand the replaced character it may convert it into different string ex: abc@gmáil.com --> abc@xn—gmil-6na.com

  • Then Reset link will be sent to abc@xn-gmil-6na.com

hashtag
Real-Time Attack

  • Create an account with email test@gmail.com.burpcollaborator.net

  • Now generate reset password link for email test@gmáil.com.burpcollaborator.net

  • Once you receive password reset mail over collaborator, look at the domain for any changes in replaced character.

>Reference: https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization-wp.pdfarrow-up-right

>Reference: https://medium.com/bugbountywriteup/how-i-was-able-to-change-victims-password-using-idn-homograph-attack-587111843affarrow-up-right

hashtag
3. Cryptography Attack

hashtag
Case 1

  • Generate the reset link for an account and copy reset token from the link.

  • Check whether it is matching with any hash algorithm.

  • Use the Hashmash arrow-up-righttool to generate valid reset token by trying various combinations.ex: [timestamp|email|timestamp]

hashtag
Case 2

  • While generating reset links, use two aliases of an email and try to see what bits are different in the reset token. ex: test+1@gmail.com and test+2@gmail.com

    Note: If you append a +sometext to your email, it actually creates an alias of your email and you will receive all the emails on your actual email

  • Check Reset token and try to see if any public encoding library/weak encryption is used.

>Reference: https://www.notsosecure.com/hacking-crypto-fun-profit/arrow-up-right

>Reference: https://medium.com/bugbountywriteup/weak-cryptography-in-password-reset-to-full-account-takeover-fc61c75b36b9arrow-up-right

hashtag
4. Token Disclosure in Request/Response

While generating a password link always look at the request and its response for any reset token disclosure.

What if reset token is hard coded somewhere in js or if it disclosed in other requests/response, to identify the same follow below steps quoted by @haklukearrow-up-right

  • Set up burp suite in browser-1.

  • Do a password reset request in browser-1.

  • Open the password reset email in browser-2 and copy the token.

  • Search your Burp history for the token.

hashtag
5. Tampering User Identification Parameter

  • Generate password reset link for any user account.

  • Access the link, feed the password, and submit the form.

  • Capture the request and observe for any injection point, if there is an email or any unique identification parameter for which the user's password will be updated.

hashtag
6. Email Tampering

While generating reset link for victim user, you can try below injections to get reset link on attacker email.

hashtag
7. Reset Link Expiration

Check whether the link is getting expired or not, once it is used.

Thanks for reading:)

Follow me on twitter @0xAyubarrow-up-right for more notes

NextApproaching GraphQL End Points

Last updated