Hello guys this is imran parray and today we will be learning about How to Test Password Reset Functionalities in Web Appilications . As we all know that password resetting is an critical process which can lead to account takeover if not properly implemented
Password Reset Process:
This process can be achieved by Three different ways:
1-Password Reset Tokens
2-Generating New Passwords
3-Secret Questions
All of these implementation have their own pro's and con's. So lets get started an Discuss them one by one
1-Password Reset Tokens
In this process the users Visits the Password reset page and enters his email and get the reset token/link in his email inbox.
2-Generating New Password
This process is simple. The user Visits the Reset password section in the web application and enters his/her email and receives his new password via email.
3- Secret Questions
This is the most unsecure/loose implementation of password reset functionality in which the user is asked to enter the answers to some simple/common questions like
- What was the name of your first school ?
- what is the name of your mothers maiden ?
So what are the bugs that can be found in password reset functionalities ?
1-Leaking of password reset Token
2-IDOR -[Insecure Document Object Referencing]
3-Insecure Session management
4-Weakness in Life-cycle of password Reset Process
5-User Enumeration
Lets Dicuss Them one by one
1- Leaking of password reset Token Over Insecure Channel
Lets Suppose User visits the reset page and enters his email and the token/Link is sent to his email
http://www.example.com/reset.php?token=12345
as you can see here they are using http not https for transporting the sensitive token to the webserver.
Fix:
http://www.example.com/reset.php?token=12345 ---[UnSecure]
https://www.example.com/reset.php?token=12345 ---[Secure]
2- Leaking of password reset Token Via Referrer Header
Lets Suppose User visits the reset page and enters his email and the token/Link is sent to his email
But now when user clicks the link and loads the reset.php page in his browser on the reset page an image is loaded from some 3rd party webserver so the browser have sends the Http request with the header [ refrere http://www.example.com/reset.php?token=12345 ] to load the image in the reset page. So Now The third party image hosting server knows the reset token of the user.
Fix:
- Dont Fetch images from external reseources
- Host them on your server
3-IDOR in Password reset Functionality
Lets Again rewise the workflow of reset functionality from server side presprective
User asks from password reset
|
|
\/
Password reset link is send to his email
|
|
\/
user clicks the password reset link
|
|
\/
Server checks for the token validity
|
|
\/
if the token is wrongs the Access Denies message is shown
|
|
\/
If the token is right the Server checks the userId with the request
|
|
\/
Reset.php page is loaded to change the password of user with userid in the url
|
|
\/
User successfully changes his password
Now lets Suppose Attacker visits the reset page and enters his email and the token/Link is sent to his email
http://www.example.com/reset.php?userid=121&token=12345
as you can see we have 2 parameters in the url
userid=121 which is the userid of the Attacker
token=12345 is the password reset token sent to his email
so the userid can be completely manipulated by the attacker. So when attacker increments or decrements the userid= parameter if the Access controls are broken he may be able to change other users passswords without any user interation.
Fix:
The concept here is simple.
Fix:
Lets Suppose User visits the reset page and enters his email and the token/Link is sent to his email
http://www.example.com/reset.php?token=12345
user visits the links and successfully changes his password but the password reset link is not expired. Now if the malware infects the users system the attacker can change the password of users account as the link will still be working
Fix:
After using the reset link the server should expire the token.
In this Type of attack the attacker can enumerate the valid/Registered username/emails int the application. First of all most of the researchers/hackers believe that this should be consider as security issue as this haven't any valid security impact.
So how does this attack works
as you can see we have 2 parameters in the url
userid=121 which is the userid of the Attacker
token=12345 is the password reset token sent to his email
so the userid can be completely manipulated by the attacker. So when attacker increments or decrements the userid= parameter if the Access controls are broken he may be able to change other users passswords without any user interation.
Fix:
- Tokens should be uniquely assigned to user
4-Insecure Session Expiration
The concept here is simple.
- Lets suppose the attacker got access to your account and he is logged in to your account.
- You felt like someone has hacked your account and decided to change the password
- You Visited the password reset link and enter your email and got the reset link in your inbox
- You changed the password but the attacker is still logged in to your account
you maybe thinking how's that possible. This is when server doesn't kills all the sessions on changing the password of the account.
Fix:
- Kill all the sessions when the password is changed on account.
5-Many Password links
As you all knew that password reset links are randomly generated so if the password reset link is not so complex and seems to be bruteforcable the attacker can go to reset page and enter victims email address and sends thousand of password reset token to the victims inbox.
Now two situations may arise
- After generating the new token the previous token may get expired
- After generating the new token the previous token is not expired
in 2nd case the attacker can send hundreds/ thousands if possible to increase the chances of bruteforce attack.
6-Password reset links Not Expiring
Lets Suppose User visits the reset page and enters his email and the token/Link is sent to his email
user visits the links and successfully changes his password but the password reset link is not expired. Now if the malware infects the users system the attacker can change the password of users account as the link will still be working
Fix:
After using the reset link the server should expire the token.
7-User enumeration
In this Type of attack the attacker can enumerate the valid/Registered username/emails int the application. First of all most of the researchers/hackers believe that this should be consider as security issue as this haven't any valid security impact.
So how does this attack works
- Attacker visits password reset Page
- Enter his email and The application pops up the message that " The password reset link has been sent to your email"
- Attacker enter some random emails and get the response "Email Not found"
- So He gets the List of emails and Bruteforces them against password reset functionalities if he get the response 1 then email is registered on the domain
- If he get response 3 the email is not registered
- So this way he can enumerate the valid username/email in the apppilcaiton
So Thats it for this turorials hope you enjoyed the post.
At the end special thanks to dawidczagan and whole hacker community for sharing their resources !
Thank you for Reading...
Thank you for Reading...
This comment has been removed by the author.
ReplyDeleteYou can add one more vulnerability related to pass reset:
ReplyDeleteMalicious host header injection while sending pass reset link will lead to account takeover..
Yeah will do that in next writeup.
DeleteAwesome writeup... very useful... Thanks for sharing your knowledge ❤
ReplyDeleteReally thank you for appreciation.
DeleteGreat..
ReplyDeleteThanks dude.
DeleteGreat write up indeed.Keep the good work on!
ReplyDeleteThanks buddy.
DeleteNice content buddy, greetings from lopseg.
ReplyDeleteYou have lost the password of your Pinterest account and need to reset it! How to proceed or recover? Go to this link nce you have got to see the main page of Pinterest, you will get to see its sign up form in the center. You have to draw your attention to the right side of the screen, find the “Log in” button, and click on it. Now, you need to go to the inbox of your email address and find the a letter from Pinterest. Open that letter and click on the Reset password button, which is inserted in that letter.
ReplyDeleteIt is really helpful article please read it too my blog Recover password on Pinterest
ReplyDeleteThis is realy a Nice blog post read on of my blogs It is really helpful article please read it too my blog PINTEREST BUTTON NOT WORKING you can visits our websites or toll free no +1-866-558-4555. solve your problem fastly.
ReplyDeleteLooking great and it is very helpful content you can read my content here Recover Password on Pinterest.
ReplyDeleteAwesome Article, Thanks for sharing!
ReplyDeleteEmail Login Solution – Your Online Solution Partner
Thanks for sharing the informative stuff. I really enjoy reading this post.
ReplyDeleteIf you want to recover yahoo email account you can contact us on our Yahoo Customer Care Number OR Yahoo Helpline Number UK anytime without any effort.
Very informational thanks for sharing <3
ReplyDelete