Skip to main content

Testing Password Reset Functionalities








Hello guys this is imran parray and today we will be learning about How to Test Password Reset Functionalities in Web Appilications . As we all know that password resetting is an critical process which can lead to account takeover if not properly implemented


Password Reset Process:


This process can be achieved by Three different ways:

1-Password Reset Tokens
2-Generating New Passwords
3-Secret Questions


All of these implementation have their own pro's and con's. So lets get started an Discuss them one by one

1-Password Reset Tokens


In this process the users Visits the Password reset page and enters his email and get the reset token/link in his email inbox.


2-Generating New Password


This process is simple. The user Visits the Reset password section in the web application and enters his/her email and receives his new password via email.


3- Secret Questions


This is the most unsecure/loose implementation of password reset functionality in which the user is asked to enter the answers to some simple/common questions like

  1. What was the name of your first school ?
  2. what is the name of your mothers maiden ?



So what are the bugs that can be found in password reset functionalities ?




1-Leaking of password reset Token
2-IDOR -[Insecure Document Object Referencing]
3-Insecure Session management
4-Weakness in Life-cycle of password Reset Process
5-User Enumeration


Lets Dicuss Them one by one

1- Leaking of password reset Token Over Insecure Channel




Lets Suppose User visits the reset page and enters his email and the token/Link is sent to his email

http://www.example.com/reset.php?token=12345

as you can see here they are using http not https for transporting the sensitive token to the webserver.

Fix:

http://www.example.com/reset.php?token=12345          ---[UnSecure]
https://www.example.com/reset.php?token=12345        ---[Secure]

2- Leaking of password reset Token Via Referrer Header


Lets Suppose User visits the reset page and enters his email and the token/Link is sent to his email

http://www.example.com/reset.php?token=12345

But now when user clicks the link and loads the reset.php page in his browser on the reset page an image is loaded from some 3rd party webserver so the browser have sends the Http request with the header [ refrere http://www.example.com/reset.php?token=12345 ] to load the image in the reset page. So Now The third party image hosting server knows the reset token of the user. 




Fix:
  • Dont Fetch images from external reseources
  • Host them on your server


3-IDOR in Password reset Functionality


Lets Again rewise the workflow of reset functionality from server side presprective 

User asks from password reset
|
\/
Password reset link is send to his email
|
\/
user clicks the password reset link
|
\/
Server checks for the token validity
|
\/
if the token is wrongs the Access Denies message is shown
|
\/
If the token is right the Server checks the userId with the request
|
\/
Reset.php page is loaded to change the password of user with userid in the url
|
\/
User successfully changes his password


Now lets Suppose Attacker visits the reset page and enters his email and the token/Link is sent to his email

http://www.example.com/reset.php?userid=121&token=12345

as you can see we have 2 parameters in the url

userid=121 which is the userid of the Attacker
token=12345 is the password reset token sent to his email

so the userid can be completely manipulated by the attacker. So when attacker increments or decrements the userid= parameter if the Access controls are broken he may be able to change other users passswords without any user interation.

Fix:

  • Tokens should be uniquely assigned to user


4-Insecure Session Expiration


 The concept here is simple.

  • Lets suppose the attacker got access to your account and he is logged in to your account.
  • You felt like someone has hacked your account and decided to change the password
  • You Visited the password reset link and enter your email and got the reset link in your inbox
  • You changed the password but the attacker is still logged in to your account
you maybe thinking how's that possible. This is when server doesn't kills all the sessions on changing the password of the account.



Fix:

  • Kill all the sessions when the password is changed on account.

5-Many Password links 


As you all knew that password reset links are randomly generated so if the password reset link is not so complex and seems to be bruteforcable the attacker can go to reset page and enter victims email address and sends thousand of password reset token to the victims inbox.

Now two situations may arise
  1. After generating the new token the previous token may get expired 
  2. After generating the new token the previous token is not expired 
in 2nd case the attacker can send hundreds/ thousands if possible to increase the chances of bruteforce attack.



6-Password reset links Not Expiring


Lets Suppose User visits the reset page and enters his email and the token/Link is sent to his email

http://www.example.com/reset.php?token=12345

user visits the links and successfully changes his password but the password reset link is not expired. Now if the malware infects the users system the attacker can change the password of users account as the link will still be working

Fix:

After using the reset link the server should expire the token.

7-User enumeration


In this Type of attack the attacker can enumerate the valid/Registered username/emails int the application. First of all most of the researchers/hackers believe that this should be consider as security issue as this haven't any valid security impact.

So how does this attack works

  • Attacker visits password reset Page
  • Enter his email and The application pops up the message that " The password reset link has been sent to your email"
  • Attacker enter some random emails and get the response "Email Not found"
  • So He gets the List of emails and Bruteforces them against password reset functionalities if he get the response 1 then email is registered on the domain
  • If he get response 3 the email is not registered 
  • So this way he can enumerate the valid username/email in the apppilcaiton

So Thats it for this turorials hope you enjoyed the post.

At the end special thanks to dawidczagan and whole hacker community for sharing their resources !

Thank you for Reading...








Comments

  1. This comment has been removed by the author.

    ReplyDelete
  2. You can add one more vulnerability related to pass reset:
    Malicious host header injection while sending pass reset link will lead to account takeover..

    ReplyDelete
  3. Awesome writeup... very useful... Thanks for sharing your knowledge ❤

    ReplyDelete
  4. Great write up indeed.Keep the good work on!

    ReplyDelete
  5. Nice content buddy, greetings from lopseg.

    ReplyDelete
  6. You have lost the password of your Pinterest account and need to reset it! How to proceed or recover? Go to this link nce you have got to see the main page of Pinterest, you will get to see its sign up form in the center. You have to draw your attention to the right side of the screen, find the “Log in” button, and click on it. Now, you need to go to the inbox of your email address and find the a letter from Pinterest. Open that letter and click on the Reset password button, which is inserted in that letter.

    ReplyDelete
  7. It is really helpful article please read it too my blog Recover password on Pinterest

    ReplyDelete
  8. This is realy a Nice blog post read on of my blogs It is really helpful article please read it too my blog PINTEREST BUTTON NOT WORKING you can visits our websites or toll free no +1-866-558-4555. solve your problem fastly.

    ReplyDelete
  9. Looking great and it is very helpful content you can read my content here Recover Password on Pinterest.

    ReplyDelete
  10. Thanks for sharing the informative stuff. I really enjoy reading this post.

    If you want to recover yahoo email account you can contact us on our Yahoo Customer Care Number OR Yahoo Helpline Number UK anytime without any effort.

    ReplyDelete
  11. Very informational thanks for sharing <3

    ReplyDelete

Post a Comment

Popular posts from this blog

New Working Shopping Site SQLi Dorks

Most Important XSS Cheat Sheet

How to Install Mosh on you Linux ec2 Instance