Author Topic: Analyse some common BUGs about reset web password.  (Read 532 times)

0 Members and 1 Guest are viewing this topic.

Offline luverose

  • /dev/null
  • *
  • Posts: 15
  • Cookies: 6
  • lalalala~
    • View Profile
Analyse some common BUGs about reset web password.
« on: June 02, 2014, 03:12:37 am »
0x00 Preface
Code: [Select]
1.Input account
2.Verify the identity of account
3.Reset password
4.Done
-----------------------------------------
Usually common insecurity factors exist in step 2 and 3,Let's see some common reset password BUG! :P

0x01 Enumeration
1. This kind of reset password is a frequent used by website,which is confirm phone verification code to reset password.This design usually be in the steps of retrieve password.System would sent a code to your phone and If you input the right one,you can reset your password then.
    They are designed to use 4-6 digits to verity password which are simple and pure numbers.what's more they don't limit the number of times to verity the simple code.
Let me give you an example If you have a common laptop and you wanna use burosuite to burst four numbers you just need waiting 2 mins and the job would be done.Because 4 numbers only have ten thousand kinds of combination,which your computer can enumerate it in a very short time.
    Let me show you some pictures.
    This is a phone code verity code reset BUG [ps:I'm chinese and I can't find any similar examples in english so the example would using chinese website ;D ]






2.  Same as verity phone code that some website would email you a code to reset your password.The principle is the same and we will not go into details ::)
  Show your some examples too


0x02 Replace the URL of reset password
1.Some website would sent a URL to reset your password.The URL must have two essential parameters--User name (or UID -some parameter represent user) and a encrypted string(System encrypted something which used to verity your identity)
This encrypted string,which sent to your email,logically should designed one-for-one.But by some mistakes This encrypted string could be "one-for-anyone" :'(

1.http://login.evilzone.com/resetPass?username=[attacker]&code=[a05e9dd6-e64d-4a5a-9364-60499d78c9aa]&email=[attacker's email address]------ chick it.
2.Attacker receive a email include http://login.evilzone.com/resetPass?username=[attacker]&code=[a05e9dd6-e64d-4a5a-9364-60499d78c9aa]&email=[user1's email address]2.Attacker replace some parameters likehttp://login.evilzone.com/resetPass?username=[Victim]&code=[a05e9dd6-e64d-4a5a-9364-60499d78c9aa]&email=[attacker's email address]

0x03 CSRF
This could be a bit harder to introduce,I will put it in a XSS analysis topic.
 ;) thanks for watch ,see ya
« Last Edit: June 02, 2014, 03:39:34 am by luverose »
When I was young ,I asked my mom why I have to eat meal?when I noticed my brother have ate my meal ,I think I was so stupid!

Offline luverose

  • /dev/null
  • *
  • Posts: 15
  • Cookies: 6
  • lalalala~
    • View Profile
Re: Analyse some common BUGs about reset web password.
« Reply #1 on: June 02, 2014, 04:37:19 am »
By the way,Guys If you find any gramma mistakes or anything that  I expressed was wrong ,please point it to me and let me correct it :D
« Last Edit: June 02, 2014, 04:38:03 am by luverose »
When I was young ,I asked my mom why I have to eat meal?when I noticed my brother have ate my meal ,I think I was so stupid!

Offline kenjoe41

  • Symphorophiliac Programmer
  • Administrator
  • Baron
  • *
  • Posts: 990
  • Cookies: 224
    • View Profile
Re: Analyse some common BUGs about reset web password.
« Reply #2 on: June 02, 2014, 11:36:43 pm »
I am looking for the grammar mistakes but all i see are chinese/mandarin text. I would love to help you correct them but unfortunately i don't know any chinese. I might return in a month to help you but till then please try to look for them.
If you can't explain it to a 6 year old, you don't understand it yourself.
http://upload.alpha.evilzone.org/index.php?page=img&img=GwkGGneGR7Pl222zVGmNTjerkhkYNGtBuiYXkpyNv4ScOAWQu0-Y8[<NgGw/hsq]>EvbQrOrousk[/img]

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Analyse some common BUGs about reset web password.
« Reply #3 on: June 05, 2014, 02:28:42 pm »
Keep m coming, I like simple attacks like these.
+1

p.s. Try not to double post , instead use the edit button.
« Last Edit: June 05, 2014, 02:29:15 pm by proxx »
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage