EvilZone
Hacking and Security => Hacking and Security => : luverose June 02, 2014, 03:12:37 AM
-
0x00 Preface
1.Input account
2.Verify the identity of account
3.Reset password
4.Done
-----------------------------------------
Usually common insecurity factors exist in step 2 and 3,Let's see some common reset password BUG! :P
0x01 Enumeration
1. This kind of reset password is a frequent used by website,which is confirm phone verification code to reset password.This design usually be in the steps of retrieve password.System would sent a code to your phone and If you input the right one,you can reset your password then.
They are designed to use 4-6 digits to verity password which are simple and pure numbers.what's more they don't limit the number of times to verity the simple code.
Let me give you an example If you have a common laptop and you wanna use burosuite to burst four numbers you just need waiting 2 mins and the job would be done.Because 4 numbers only have ten thousand kinds of combination,which your computer can enumerate it in a very short time.
Let me show you some pictures.
This is a phone code verity code reset BUG [ps:I'm chinese and I can't find any similar examples in english so the example would using chinese website ;D ]
(http://0inn.in/usr/uploads/2014/06/259555830.png)
(http://0inn.in/usr/uploads/2014/06/3362065643.png)(http://0inn.in/usr/uploads/2014/06/2804402141.png)(http://0inn.in/usr/uploads/2014/06/4167012133.png)
(http://0inn.in/usr/uploads/2014/06/3120359997.png)
2. Same as verity phone code that some website would email you a code to reset your password.The principle is the same and we will not go into details ::)
Show your some examples too
(http://0inn.in/usr/uploads/2014/06/3635872895.png)(http://0inn.in/usr/uploads/2014/06/1220032653.png)(http://0inn.in/usr/uploads/2014/06/2384163440.png)(http://0inn.in/usr/uploads/2014/06/1220032653.png)
0x02 Replace the URL of reset password
1.Some website would sent a URL to reset your password.The URL must have two essential parameters--User name (or UID -some parameter represent user) and a encrypted string(System encrypted something which used to verity your identity)
This encrypted string,which sent to your email,logically should designed one-for-one.But by some mistakes This encrypted string could be "one-for-anyone" :'(
1.http://login.evilzone.com/resetPass?username= (http://login.evilzone.com/resetPass?username=)[attacker]&code=[a05e9dd6-e64d-4a5a-9364-60499d78c9aa]&email=[attacker's email address]------ chick it.
2.Attacker receive a email include http://login.evilzone.com/resetPass?username= (http://login.evilzone.com/resetPass?username=)[attacker]&code=[a05e9dd6-e64d-4a5a-9364-60499d78c9aa]&email=[user1's email address]2.Attacker replace some parameters likehttp://login.evilzone.com/resetPass?username= (http://login.evilzone.com/resetPass?username=)[Victim]&code=[a05e9dd6-e64d-4a5a-9364-60499d78c9aa]&email=[attacker's email address]
0x03 CSRF
This could be a bit harder to introduce,I will put it in a XSS analysis topic.
;) thanks for watch ,see ya
-
By the way,Guys If you find any gramma mistakes or anything that I expressed was wrong ,please point it to me and let me correct it :D
-
I am looking for the grammar mistakes but all i see are chinese/mandarin text. I would love to help you correct them but unfortunately i don't know any chinese. I might return in a month to help you but till then please try to look for them.
-
Keep m coming, I like simple attacks like these.
+1
p.s. Try not to double post , instead use the edit button.