- Header Poisoning
- Password Reset Token Filter Bypass
- Email Parameter Manipulation
- Password Token Referral Header Leak
- Check List
The following document outlines some key techniques used when assessing password reset function on modern web application and API’s, a useful resource for bug bounty hunters and penetration testers when performing password reset security testing.
Host: Header Injection Password Reset URL
The following headers can be modified in an attempt to modify the password reset token URL to an attacker controlled domain. Potentially allowing an attacker to obtain the reset token when a user clicks the link to perform a password reset.
Potential Vulnerable Headers
Host Header Password Reset
Replace the Host: header with a server you control.
Double Host Header
Often when you modify the Host header the application, or WAF fails to the process the request, a technique which can potentially bypass this filter if to simply add a second Host header to the request.
Add an attacker controlled domain in the X-forwarded-Host header directive.
- Perform a password reset normally, and modify the host header with a different url
- Check the email sent by the application has the test url, not the applications url
- Replace vulnerable header with the attacker controlled domain
- Send the request
- Wait for the victim to click reset link (or show PoC to a second account)
- Exatract the token from the webserver logs you control
- Use the extracted token to take over the user account
Password Reset Token Filter Bypass
If the app is built on ruby, try adding a .json extension to the end of the password reset URL. In certain circumstances ACL bugs may exist, adding the extension could potentially bypass any additional layers of protection the application has in in place.
- Add a .json to the reset token
- Observe the applications response to see if the
Email Parameter Manipulation
Password Change Functions
Intercept & Change the Email
- Interecept the request, and replace the email address to one that you control
Password Reset Functons
Add Second Email
Vulnerable applications can be manipulated to send password reset codes to multiple email addresses.
- Interecept the request, and add a second email address to the request
Modify the parameter matching the applications format, example:
Match the API Request Schema
Match the application / API's request formatting when adding the additional email address.
Password Token Referral Header Leak
Vulnerable applications leak the password reset URL via the referal header.
Assess the target using an intercepting proxy to identify if the referral header leaks the token through the referral header.
- Host Header Injection Password Reset Function
- Double Host Header Injection Password Reset Function
- X-Forwarded-Host Header Injection Password Reset Function
- Email Parameter Manipulation add attacker controller second email address