Resetting User Passwords
Some apps send password by email - Sending clear text of the user's password should not be possible if password is stored securely - Sending passwords over insecure channels can be exploited via a man in the middle attack - Many users sync their emails across multiple devices increasing the attack surface
Resetting Passwords via URL - Less secure ways use a URL with an easily guessable parameter: http://vulnerable-website.com/reset-password?user=victim-user - Better practice is to generate a high-entropy, hard to guess token and create the URL based on that http://vulnerable-website.com/reset-passwordtoken=a0ba0d1cb3b63d13822572fcff1a241895d893f659164d4cc550b421ebdd48a8 § Some websites still fail to validate the token so an attacker can visit the § Some website also generate token via time base or via order... This mean you can try to guest the token value. (Ex: reset your own password and the very next second reset the victim password. If your reset link is ex: .com/reset/54349878/, the reset link of your victim could be .com/reset/54349879)
- exploitation example
- Exploit Steps
-
With Burp running, click the Forgot your password? link and enter your own username.
-
Click the Email client button to view the password reset email that was sent. Click the link in the email and resetyour password to whatever you want.
-
In Burp, go to Proxy > HTTP history and study the requests and responses for the password reset functionality. Observe that the reset token is provided as a URL query parameter in the reset email. Notice that when you submit your new password, the POST /forgot-password?temp-forgot-password-token request contains the username as hidden input. Send this request to Burp Repeater.
-
In Burp Repeater, observe that the password reset functionality still works even if you delete the value of the temp-forgot-password-token parameter in both the URL and request body. This confirms that the token is not being checked when you submit the new password.
-
In the browser, request a new password reset and change your password again. Send the POST /forgot-password?temp-forgot-password-token request to Burp Repeater again.
-
In Burp Repeater, delete the value of the temp-forgot-password-token parameter in both the URL and request body. Change the username parameter to carlos. Set the new password to whatever you want and send the request.
-
In the browser, log in to Carlos's account using the new password you just set. Click My account to solve the lab.