Account takeover through password reset
2021-05-25 17:10:33 Author: infosecwriteups.com(查看原文) 阅读量:131 收藏

Hello Everyone,

I’m Omar Hamdy (Seaman), Today I am going to explain one of the coolest bugs which I found on Private Program in Bugcrowd

Let’s Start,

I had a private program, let’s call it redacted.com, After a while of reconnaissance the program, I began to examine the password reset function, Usually I look for vulnerabilities like (ATO, Host Header injection)

Simply, When the user wants to reset his password, he enters his first & last name and e-mail. A password reset link will be sent to his email.

I requested a password reset for my account and then intercepted the request (via Zap proxy) to examine it closely.

I found the request as this :

And the password reset link is :

https://redacted.com/Reset?token=04294876770750

So far nothing exciting, I used the link, changed my password and Intercepted the Request, Here I found something very interesting.

I found the request as this :

If you look at this request, you will find the token used to reset the password, it is the same existing token that is sent when the user requests to reset his password

From here I had the ability to take over any account I wanted by changing the victim’s password

Steps To Reproduce :

1- Request to reset the password of the victim’s account and block the request with Burpsuite.

2- You will find the token that you will use to reset the victim’s password.

3- Request a password reset for your account, then use the password reset link, change your password and Intercept the request via Burpsuite.

4- You will found the request as this :

5- Replace your token with the victim’s token, and the victim’s password will be successfully changed.


文章来源: https://infosecwriteups.com/account-takeover-through-password-reset-82adc0c19248?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh