Password Reset
Last updated
Was this helpful?
Last updated
Was this helpful?
Email Flooding or mail bombing
Not recommanded - The security relies on either the generated password expiring after a very short period, or the user changing their password again immediately. Otherwise, this approach is highly susceptible to man-in-the-middle attacks.
Change the username
Source: https://x.com/bountywriteups/status/1843358474568421449?t=EAe-IUTLEhIKVjz9YK9cYQ&s=03
Replace bad response with good one
Enter the victim's email and intercept the submit request via Burp Suite . Then right-click on the HTTP Editor inside Burp Suite and select Extensions -> Content-Type Converter -> Convert to JSON (make sure to have the Content-Type Converter plugin installed from the BApp Store)
Now replace this converted JSON line "user[email]":"victim@gmail.com", to
Create your account on target Site.
Request for a forget password token.
Don't use that link
Instead logged in with your old password and change your email to other.
Now use that password link sents to old email and check if you are able to change your password if yes than there is the litle bug.
Source: https://x.com/bountywriteups/status/1843186551968399632?t=wf0m1BGx--rn6kZWTzB0Tg&s=03
Check if the token is reflected back in the response
Use another email's token on your victim's reset link
Try used tokens
Remove the token and check
Change token to 0000
Use nul value
Try an array of token
Massive token - Use a very long token
Change one character (at the beginning or at the end) to see if the token is evaluated
Insecure token: MD5($email) or insecure uuid - version 1
Some websites fail to also validate the token again when the reset form is submitted - Use your own account to request a reset password and alter the POST request
Original Request
Original Response HTTP/1.1 200 OK
Try adding .json extension
Modified Request
Modified Response
Add X-Forwarded-Host: attacker.com
Host: Attacker.com
Method 1
Change Host, Origin or Referrer to hijack email links
Method 2
Modify/Add the header one by one. If the attack is successfull, you will receive a email with a modified reset link: http://attacker-website.com/reset?token=123456789
to
And the victim will receive the reset link with evil.com
If the victim clicks this link (or it is fetched in some other way, for example, by an antivirus scanner) the password reset token will be delivered to the attacker's server.
The attacker can now visit the real URL for the vulnerable website and supply the victim's stolen token via the corresponding parameter. They will then be able to reset the user's password to whatever they like and subsequently log in to their account.
Try to change methods
1- Ask for reset password link
2- Click on the link and add new password
3- Intercept the request with burpsuite
4- Found parameter called email
5- Replaced my email to victim email
6- Found the password of the victim changed
Could also be an ID - see:
Login with a valid user - Alter the POST request
Wrong password
Valid password
Alter and bruteforce
