This article is about a vulnerability that Tameem Khalid, a cybersecurity researcher and security analyst, exploited and poisoned the password reset (Reset Password) feature.
Poisoning the Reset Password feature
Poisoning the Reset Password feature is a technique that helps attackers manipulate a vulnerable website to create a reset password link pointing to their domain. This behavior can be used to steal the secret tokens needed to reset a user’s password and ultimately compromise their account.
For the privacy of the application, I will take the redacted.com website as an example. Like every other web app, it has a password reset feature. So I’m going to start mining it.
This is one of those great checklists you can check out while hunting. https://github.com/harsh-bothra/HowToHunt
After analyzing the request, I only noticed an unnecessary parameter named “callback”. Request as below:
We need to look at this request for a bit. And now you know what to do, right?
I changed the parameter value “callback” to the payload of Burp Collaborator and check if it is executed. And the result is like this:
Burp Collaborator’s payload has been executed and the reset password link has been changed with the token. When the victim clicks on this link, the password reset token is sent to the attacker’s server.
- The attacker obtains the victim’s email address or username on request and sends a password reset request on their behalf. When submitting the form, they intercept the HTTP request and modify the “Callback” parameter so that it points to a domain they control. For this example, I used Burp Collaborator.
- Victims receive a master password reset email directly from the website. It contains a link to reset their password and, importantly, a valid password reset token associated with their account. However, the domain in the URL points to the attacker’s server: https://7iq969dpiaezim94zc2qtknodfj57u.burpcollaborator.net/k1NMNAoPAUJA5U2NqvgejuAUvZJR182UJyA4MXJfLWtIMIUCtpZEMogQUstW
- If the victim clicks on this link (or it is fetched in some other way, such as by an anti-virus scanner), a password reset token is sent to the attacker’s server.
- The attacker can now visit the actual URL of the vulnerable website and provide the victim’s stolen token via the corresponding parameter. They will then be able to reset the user’s password to whatever they like and log into their account.
Hacking with the Reset Password feature is one of those attacks that is more practical than theoretical, often used as in bug bounty programs. Web developers should consider creating a whitelist of trusted domains during the initial setup of the application.