BOOK THIS SPACE FOR AD
ARTICLE ADHere is the new one… We will be involved looking at exploiting authentication through logic flaws. When we talk about logic flaws within authentication, we include:
forgotten password mechanismsToday we are going to focus on forgot password in the authentication process. But before that let me clear the scenario.
Scenario:
I discovered this bug in a private program. And that bug led me to full Account Takeover.
Test Email : bug@nalafx.comAnd clicked on forgot my password:
Once you click on “Send recovery link” that web application suppose to send the reset link to the account.
But wait … we need to check the request in burp suite:
You can see in the Request area, there is a parameter “resetPasswordUrl”. This parameter set by the web application. I sent this request and i got the response which said successful.
Now the question is:
Q. How can you say that the applications’ forgot password mechanism is vulnerable in the above case?
So i tried to modify the value of “resetPasswordUrl” parameter and i found that the value i entered in the parameter was reflected back exactly in my password reset email. So here is modified value of reset password URL: “BLAH-BLAH-BLAH”
Let’s check the email inbox to see the reflected value:
So what i did was i added this value “https://target.com@evil.com/” in resetPasswordUrl parameter:
I received an email that looks like this:
Now the question is:
Q. How to exploit it to takeover the account?
You might think what is the impact caused by this ! To know the impact we must understand the exploit first.
In a web browser if you give “@” before you complete the domain name what happens is that all the values that are before “@” are treated as credentials.
As an example: https://twitter.com@tesla.com
So what will happen is it will be redirected to “tesla.com”.
According to Screenshot#6: When user click on that password reset link, user will redirected to “f437bff15e10.ngrok.io” along with reset token ;) Once user visit the password reset link we receive data on ngrok connection.
As you can see, the “vtoken” parameter and the value are important to reset the password. As an attacker i captured this so i can reset other person’s password and access the account.
I hope you get some motivation to do bug bounties and See you again in next writeup.
Twitter profile: @Dheerajmadhukar
Linkedin profile: @dheerajtechnolegends
Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade