319 Exploiting Password Reset Feature Every website that supports authentication would surely have a password reset feature where users
can reset their passwords for their accounts. There is no one single bug that could exploit the pass-
word reset feature, the reason being that the applications may be coded in different ways, unless
you find a password reset bug in a content management system that would exploit all the websites
running that content management system, such as WordPress and Joomla. One of the popular bugs
with Joomla was a password reset vulnerability where the token was not checked on the server end;
there have been similar known issues with WordPress, Drupal, etc.
You can review more technical details from the following link:
◾
http://www.exploit-db.com/exploits/6234/
Etsy.com Password Reset Vulnerability Etsy.com back in 2012 was suffering from the same password reset vulnerability. The issue, found
by a security researcher, Yogesh Jaygadkar, was a token that was supposed to check if it’s the same
id requesting for a new password was not being validated on the server side. This is a very common
issue you would find with many websites.
Here is the request that the etsy.com users made when they applied for a new password:
https://www.etsy.com/confirm.php?email=[Email Address]&code=[Token code]&action=
reset_password&utm_source=account&utm_medium=trans_email&utm_campaign=forgot_
password_1.
The user e-mail address and token code are the areas of interest; the user would enter an e-mail
address, and the valid token would check if it’s a valid request, which would have been the normal
behavior of this application, but in this case, the token is not being validated at server side, so all
that the attacker would need to do is to remove the
token field and enter the victim’s e-mail address
instead of his own.
The request would look like the following:
https://www.etsy.com/confirm.php?email=[victim’s email ID]&action=reset_password&utm_
source=account&utm_medium=trans_email&utm_campaign=forgot_password_1.
320 ◾
Ethical Hacking and Penetration Testing Guide Another thing to check with the generated tokens are if they are predictable; if so, then an
attacker can easily guess the tokens and reset the victim’s password.
