> For the complete documentation index, see [llms.txt](https://angelica.gitbook.io/hacktricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://angelica.gitbook.io/hacktricks/pentesting-web/reset-password.md).

# Reset/Forgotten Password Bypass

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="/files/pkCbnqa1piLi0fahSPUn" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

## **Password Reset Token Leak Via Referrer**

* The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.
* **Impact**: Potential account takeover via Cross-Site Request Forgery (CSRF) attacks.
* **Exploitation**: To check if a password reset token is leaking in the referer header, **request a password reset** to your email address and **click the reset link** provided. **Do not change your password** immediately. Instead, **navigate to a third-party website** (like Facebook or Twitter) while **intercepting the requests using Burp Suite**. Inspect the requests to see if the **referer header contains the password reset token**, as this could expose sensitive information to third parties.
* **References**:
  * [HackerOne Report 342693](https://hackerone.com/reports/342693)
  * [HackerOne Report 272379](https://hackerone.com/reports/272379)
  * [Password Reset Token Leak Article](https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a)

## **Password Reset Poisoning**

* Attackers may manipulate the Host header during password reset requests to point the reset link to a malicious site.
* **Impact**: Leads to potential account takeover by leaking reset tokens to attackers.
* **Mitigation Steps**:
  * Validate the Host header against a whitelist of allowed domains.
  * Use secure, server-side methods to generate absolute URLs.
  * **Patch**: Use `$_SERVER['SERVER_NAME']` to construct password reset URLs instead of `$_SERVER['HTTP_HOST']`.
* **References**:
  * [Acunetix Article on Password Reset Poisoning](https://www.acunetix.com/blog/articles/password-reset-poisoning/)

## **Password Reset By Manipulating Email Parameter**

Attackers can manipulate the password reset request by adding additional email parameters to divert the reset link.

* Add attacker email as second parameter using &

```php
POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com
```

* Add attacker email as second parameter using %20

```php
POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com
```

* Add attacker email as second parameter using |

```php
POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com
```

* Add attacker email as second parameter using cc

```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
```

* Add attacker email as second parameter using bcc

```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
```

* Add attacker email as second parameter using ,

```php
POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"
```

* Add attacker email as second parameter in json array

```php
POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}
```

* **Mitigation Steps**:
  * Properly parse and validate email parameters server-side.
  * Use prepared statements or parameterized queries to prevent injection attacks.
* **References**:
  * <https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be>
  * <https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/>
  * <https://twitter.com/HusseiN98D/status/1254888748216655872>

## **Changing Email And Password of any User through API Parameters**

* Attackers can modify email and password parameters in API requests to change account credentials.

```php
POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})
```

* **Mitigation Steps**:
  * Ensure strict parameter validation and authentication checks.
  * Implement robust logging and monitoring to detect and respond to suspicious activities.
* **Reference**:
  * [Full Account Takeover via API Parameter Manipulation](https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240)

## **No Rate Limiting: Email Bombing**

* Lack of rate limiting on password reset requests can lead to email bombing, overwhelming the user with reset emails.
* **Mitigation Steps**:
  * Implement rate limiting based on IP address or user account.
  * Use CAPTCHA challenges to prevent automated abuse.
* **References**:
  * [HackerOne Report 280534](https://hackerone.com/reports/280534)

## **Find out How Password Reset Token is Generated**

* Understanding the pattern or method behind token generation can lead to predicting or brute-forcing tokens. Some options:
  * Based Timestamp
  * Based on the UserID
  * Based on email of User
  * Based on Firstname and Lastname
  * Based on Date of Birth
  * Based on Cryptography
* **Mitigation Steps**:
  * Use strong, cryptographic methods for token generation.
  * Ensure sufficient randomness and length to prevent predictability.
* **Tools**: Use Burp Sequencer to analyze the randomness of tokens.

## **Guessable UUID**

* If UUIDs (version 1) are guessable or predictable, attackers may brute-force them to generate valid reset tokens. Check:

{% content-ref url="/pages/RkFldmoERB1M9jjjTrg5" %}
[UUID Insecurities](/hacktricks/pentesting-web/uuid-insecurities.md)
{% endcontent-ref %}

* **Mitigation Steps**:
  * Use GUID version 4 for randomness or implement additional security measures for other versions.
* **Tools**: Use [guidtool](https://github.com/intruder-io/guidtool) for analyzing and generating GUIDs.

## **Response Manipulation: Replace Bad Response With Good One**

* Manipulating HTTP responses to bypass error messages or restrictions.
* **Mitigation Steps**:
  * Implement server-side checks to ensure response integrity.
  * Use secure communication channels like HTTPS to prevent man-in-the-middle attacks.
* **Reference**:
  * [Critical Bug in Live Bug Bounty Event](https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3)

## **Using Expired Token**

* Testing whether expired tokens can still be used for password reset.
* **Mitigation Steps**:
  * Implement strict token expiration policies and validate token expiry server-side.

## **Brute Force Password Reset Token**

* Attempting to brute-force the reset token using tools like Burpsuite and IP-Rotator to bypass IP-based rate limits.
* **Mitigation Steps**:
  * Implement robust rate-limiting and account lockout mechanisms.
  * Monitor for suspicious activities indicative of brute-force attacks.

## **Try Using Your Token**

* Testing if an attacker's reset token can be used in conjunction with the victim's email.
* **Mitigation Steps**:
  * Ensure that tokens are bound to the user session or other user-specific attributes.

## **Session Invalidation in Logout/Password Reset**

* Ensuring that sessions are invalidated when a user logs out or resets their password.
* **Mitigation Steps**:
  * Implement proper session management, ensuring that all sessions are invalidated upon logout or password reset.

## **Session Invalidation in Logout/Password Reset**

* Reset tokens should have an expiration time after which they become invalid.
* **Mitigation Steps**:
  * Set a reasonable expiration time for reset tokens and strictly enforce it server-side.

## References

* <https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token>

<figure><img src="/files/pkCbnqa1piLi0fahSPUn" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/files/Xcgr3q6BP5MpWT3hTn6d" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/files/aQnEyHWQGyok3qCc92qt" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://angelica.gitbook.io/hacktricks/pentesting-web/reset-password.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.