Shulou(Shulou.com)05/31 Report--

This article shows you how the account hijacking vulnerabilities caused by password reset Token predictability are concise and easy to understand, which will definitely brighten your eyes. I hope you can gain something through the detailed introduction of this article.

The Writeup shared today is an interesting account hijacking vulnerability, which is due to a problem with the Token generation algorithm when the target server resets the user's password, which may be predictable and enumerable, resulting in the risk of account hijacking for registered users of the website.

Here we call the target server program.com. When I was testing the function of forgetting password, I found a strange phenomenon. Every time I made a password reset request for my current account, in the following password reset Token message I received, the first three characters in the Token string were the same, so this caught my attention.

A few minutes later, I was surprised to find that the first three characters in the Token message were the three characters in the prefix of my registered mailbox when I bound to the target site, sorting from the fourth character in front of the second character. In other words, assuming that my registered email address on the site is johndoe@domain.com, then the first three characters of the reset Token message I received in my mailbox after I initiated the password reset request are "nho" (without quotation marks), as follows:

With this discovery, I think that the remaining characters in the Token message should also have some meaning, so, after many tests and analysis, I found that the remaining characters are the current timestamp information (Timestamp). In the end, however, I can't find a pattern for the remaining two characters, which lie between the first three characters and the latter timestamp characters, and they may have been randomly generated.

I think, if it is randomly generated, then try to enumerate the violence, it is very good that the target server does not have any rate limit measures. Here, I test with two registered mailboxes, one as the johndoe@domain.com for the victim's mailbox and the other as the johndoe@domain2.com for the attacker's mailbox, and you can see that they all have the same prefix. In the test, I simultaneously launched an account password reset request to the target server for the two mailboxes. Because their mailbox prefixes are the same, in the password reset Token sent back by the server, except for those two random characters, the other Token characters should be the same.

In this way, I can log in to the mailbox johndoe@domain2.com as an attacker, get a password reset link containing Token information, and then construct a dictionary file in Burp Instruder for a brute force enumeration in response to the password reset link request. Sure enough, after a few requests, I successfully enumerated a valid password reset request for 302 hops.

After the loophole was reported, the manufacturer rated the loophole as P1 severity and repaired it in time.

The above is what the account hijacking vulnerability is caused by the predictability of password reset Token. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.