Weak Password Reset Functionalities

Check List

Methodology

Black Box

The Exploitation Potential of IDOR in Password Recovery

1

Navigate to the Forgot Password page, typically found at /forgot-password, /reset-password, /account/recovery, or /login/forgot, where users initiate password reset requests

2

Enter a registered email address in the email field and submit the form to receive an OTP, capturing the request with Burp Suite to inspect the workflow

3

Locate the email parameter in the POST request body, often used to identify the account for reset and potentially passed unsanitized to the database or logic layer

4

After receiving the OTP for the first account, intercept the final password reset request with Burp Suite, modify the email parameter to a different registered email (test2@example.com), and forward it to change the target account’s password

5

Attempt to log in to the target account (test2@example.com) with the new password to confirm the IDOR vulnerability allowed unauthorized password reset

6

If login triggers an OTP request (6-digit code), note this as the final authentication barrier, then prepare to test for rate limiting weaknesses

7

Use Burp Suite’s Intruder to send multiple POST requests with the login endpoint (e.g., /login), iterating through 6-digit OTP combinations (000000 to 999999) in the OTP field, monitoring for a 200 OK response

8

If a 200 OK response is received (after ~20 minutes), use the guessed OTP to complete the login, verifying full account compromise due to lack of rate limiting

9

Test email or related parameters (username, user_id) on other authentication-related pages like /login, /account/settings, /profile/edit, or /reset, as these often handle user identification and may share similar vulnerabilities

Token Leak Via X-Forwarded-Host

1

Enter a registered email in the Forgot Password form and submit it to request a password reset token, intercepting the request with Burp Suite and starting an ngrok server

2

Locate the Host header in the intercepted request and add an X-Forwarded-Host header with an ngrok domain to redirect the token link

3

Check the email for the password reset link; if it contains the ngrok domain (https:/ngrokDomain/action-token?key=xyz), it confirms the poisoning vulnerability

4

Enter a victim’s email (victim@example.com) in the Forgot Password form, intercept the request, and add the X-Forwarded-Host header with the ngrok domain to redirect their token

5

Monitor the ngrok server; when the victim clicks the link, capture the token sent to the attacker’s domain, then use it to reset the victim’s password

6

Attempt to log in to the victim’s account with the new password to confirm full account takeover

Array Of Email Addresses Instead Of a Single Email Address.

1

Enter a single email in the password reset form and, if the request was in POST form, intercept the request with Burp Suite to change its text

2

Locate the email_address parameter in the POST request body, originally set as a single string ({"email_address":"xyz@gmail.com"})

3

Modify the email_address parameter to an array containing a victim’s email (admin@breadcrumb.com) and the attacker’s email (attacker@evil.com), sending the modified request

Change to {"email_address":["admin@breadcrumb.com","attacker@evil.com"]}

4

Check the attacker’s email for the password reset link; if received, it confirms the vulnerability allows token delivery to arbitrary addresses

5

Use the received token to access the password reset page (https://example.com/reset?token=xyz) and set a new password for the victim’s account

6

Attempt to log in to the victim’s account with the new password to confirm full account takeover

Account Take Over

1

Log in to the target site and go to the forgotten password page

2

Enter your email address so that the link can be sent to you after the process and During the process, use Burp Suite to intercept the request

3

Then, check in the intercepted request whether the parameters in the request Body include an address to the site itself

4

If the request parameter contains a site path, change that parameter to the attacker's address or ngrok address, etc., and then check your test email to see if clicking on the link redirects you to the attacker's address. If yes, the vulnerability is confirmed

s

1

Enter a registered username or email in the Forgot Password form and submit it to trigger the password reset process, inspecting the page source for AJAX requests with Burp Suite

2

Locate the API endpoint handling password reset tokens, such as /api/REDACTED/resetPasswordToken/ within the XMLHttpRequest responses generated in the background

3

Change the API endpoint request that is specific to resetting passwords to the form api/v1/resetpassword/<username> and enter it in the url and check whether the user information and tokens used are present in the response

4

Then, using the information provided, such as the username and token, create a link as follows: https://www.company.com/#/changePassword/<username>/<token>

5

Submit the crafted link to reset the target user’s password, then attempt to log in with the new password to confirm account takeover

Account Take Over via Token Parameter

1

Enter your email (attacker@example.com) and the admin’s email (admin@dashboard.example.com) in the Password Reset form on /login, submitting requests consecutively in two different tabs to generate tokens

2

Copy the password reset link for your account (https://dashboard.example.com/password-reset/form?token=28604) from the email into a notepad

3

Modify the token in the copied link to the next consecutive number (change 28604 to 28605) to target the admin’s token

4

Access the modified link, reset the admin’s password using the form, and note the success to confirm the vulnerability

5

Attempt to log in to the admin account with the new password to verify full account takeover

Open Redirect Account Take Over

1

Enter an email (my-email@gmail.com) in the forgotten password form and send a POST request to /ForgotPassword and use Burp Suite to look for parameters similar to returnUrl in the request body that redirect us to a path. These parameters

2

Locate the returnUrl parameter in the POST request body ({"email":"my-email@gmail.com","returnUrl":"/reset/password/:userId/:code"}) and modify it to an external URL (https://my-website.com/reset/password/:userId/:code)

3

Send the request and check for a 500 error, indicating the backend rejects external absolute URLs; then test with a relative path (//my-website.com/reset/password/:userId/:code) for a 200 response

4

Identify the open redirect vulnerability in the return parameter (https://app.target.com/login?return=https://google.com), then combine it by setting returnUrl to /login?return=https://my-website.com/reset/password/:userId/:code

5

Check the email for the reset link; if it contains the redirect (https://app.target.com/login?return=https://my-website.com/reset/password/{userID}/{Random-Code}), it confirms the vulnerability

Expires On Email Change

1

Enter your email (old-email@gmail.com) in the Password Reset form and submit it to generate a reset link, leaving it unused

2

Log in to your account and change the email to a new address (new-email@gmail.com), confirming the change, then log out

3

Access the old unused password reset link sent to old-email@gmail.com (https://example.com/reset?token=xyz) and submit it to reset the password

4

Set a new password using the reset form and submit it to update the account password

5

Attempt to log in with the new password to confirm the account takeover via the old token

6

Test email or related parameters (username, user_id) on other password reset-related endpoints like /reset, /password-reset, /account/recovery, or /user/reset, as these often handle token expiration and may share similar flaws

White Box

Cheat Sheet

PreviousWeak Security Question AnswerNextWeaker Authentication in Alternative Channel

Last updated