Sumeru Cyber Security
  • Sumeru Cyber Security
  • Workarounds for prevalent vulnerabilities
    • Version Disclosure
    • Host Header Attack
    • HttpOnly and Secure Flag
    • Security Headers
    • Clickjacking
    • Weak Password
    • Username Enumeration
    • jQuery Outdated
    • Cross-Origin Resource Sharing
    • AWS S3 Bucket Misconfiguration
    • Directory Listing
    • Laravel Debug Enabled
    • Autocomplete and Remember Password Enabled
    • Brute Force Attack
    • Cross Site Request Forgery
    • SQL Injection
    • PhpMyAdmin page Available Publicly
    • Implementation of BASIC Authentication
    • Cache Browsing
    • Insecure Direct Object Reference
    • Active mixed content over https
    • Improper forgot password implementation
    • ASP.NET Debug Enabled
    • Sensitive Data Sent in GET Request
    • Weak CAPTCHA Implementation
    • Csv Injection
    • Cross Site Scripting
    • Web Server Robot.txt Information Disclosure
    • SSL Related Issues
    • Local File Inclusion
    • Weak CAPTCHA Implementation
    • Automated Form Submission
    • Php.ini File Available Publicly
    • ITLP
    • Internal Path Disclosure
    • Insecure Direct Object Reference
    • Access Token Not Expiring After Logout
  • OWASP A09-Security Logging and Monitoring Failures
  • OWASP API09-Improper Inventory Management v1.0
Powered by GitBook
On this page
  • Introduction
  • How To Test
  • How to Fix
  • References

Was this helpful?

  1. Workarounds for prevalent vulnerabilities

Improper forgot password implementation

PreviousActive mixed content over httpsNextASP.NET Debug Enabled

Last updated 5 years ago

Was this helpful?

Introduction

Application is not verifying the user by email/otp for forgot password/changing the password.

How To Test

When Click the forgot password option it will go to the enter your email address or mobile number page and if it redirects directly to the page if changing the password we can easily change the password who ever want to change the password.

Because By Knowing the change password page URL and we can easily change the password.

How to Fix

Captcha for Forget email password

In the absence of a CAPTCHA on the Forgot Password page, an attacker would be able to initiate a lot of password reset requests with the help of bots thus performing DoS.

Sending the new password Should not be a cleartext to a registered e-mail address

A lot of Forgot Password implementations reset the password and send the new password to a user via e-mail. The potential problem in using this approach is that an attacker might be able to sniff the password. instead of the clear text it can be encrypted.

Sending a password reset link to an E-mail ID

To mail we can send the link of the change password page for eg: random token for each forgot password here by generating random token in the ID parameter.

Once the password is changed, the link will invalidated.

After click this link from mail that page should ask for the new password and confirm password. Change password link must be expired After changed the new password.

Note

  • It is recommended to send the through OTP or mail.

  • After Clicking the forgot password it should ask for the registered mobile number or email address.

  • To OTP we can generate the OTP to the registered mobile number and can change the password if the OTP is valid. That OTP should have properly expired.

  • To mail we can generate the random password as a new password through this new password we can say to login and change the new password within some time duration.

References

http://127.0.0.1/changepassword.php?id=encrypted
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html
https://www.paladion.net/blogs/common-flaws-in-forgot-password-implementation