Password reset broken logic is a web vulnerability that is primarily categorized as an authentication vulnerability. If a website or application has a password reset broken logic vulnerability, then an attacker or hacker can exploit that vulnerability to hijack any user’s account.
What is Password Reset Broken Logic?
Exploiting this vulnerability is not a difficult task for an attacker. The main reason for this is that the security of the password reset functionality of the website is so low that the hacker can easily break it and reset the passwords of victims/users to login easily.
To perform this attack, an attacker needs to have access to the user’s email, phone number, or username, based on which they can exploit this function. The victim’s username or email address is already obtained by the attacker in the enumeration step.
If you have read our previous articles, we have taught you techniques such as username enumeration, 2fa bypass, or brute-forcing.
So, this was an introduction to Password reset broken logic. Now, we will solve a practical lab to completely understand Password reset broken logic.
We are using the official PortSwigger labs for our learning, which is well known under the name of Web Security Academy. As you can see in the screenshot, we have already selected our lab which is vulnerable to Password reset broken logic.
In the lab, we are provided with our own credentials to log in to our account and also with the victim’s username: Carlos.
First, we attempt to reset our own account’s password to understand how the password reset mechanism works. Additionally, we enable Burp Suite’s proxy to analyze and inspect the requests that we send and the responses that we receive from the server-side to understand the application’s behavior.
Analyzing the Password Reset Request Body
When I forgot the password for my account “wiener,” I submitted a /forget-password request in Burp Suite, which was essentially for my own account. At the end of the request, the username “wiener” is displayed. I changed my own account’s password and then analyzed additional URLs in the Burp Suite proxy’s HTTP history.
If we study the post-based forget password request, we can find out that the request is using a token.
POST /forgot-password?temp-forgot-password-token=iY9MQmE9NgePh3WbGnOBBqGl2Nqy8VLsIf we study the body of this request, we will see some details displayed at the end, such as:
temp-forgot-password-token=iY9MQmE9NgePh3WbGnOBBqGl2Nqy8VLs&username=wiener&new-password-1=password&new-password-2=passwordNow let’s come to our main point. We have two tokens in this request, one at the beginning of the request and the second at the end of the request where our username and password are shown, which we used during the reset process.
Modifying the Password Reset Request
In this new screenshot, we have sent the old request to the Burp Repeater and modified it. We removed the tokens used at the start and end of the request. This was our first step. In the second step, we replaced our account username “wiener” with the victim’s username “carlos” and forwarded the request.
Accessing the Victim’s Account with the New Password
We received a response of 302 Found from the server, which means our request was executed on the server-side. Now, we attempt to log in using these credentials and see if we actually reset the password of another user.
We have successfully logged into Carlos’s account using the password reset broken logic vulnerability lab provided by PortSwigger, which is known for its web security academy.
Overview of Password Reset Broken Logic Attack
To start, we logged into our own account using the provided credentials, then we forgot our password for the account “wiener” and initiated the password reset process. During this process, we intercepted and analyzed the post-based request using Burp Suite’s proxy tool. In this request, we noticed that two tokens were being used, one at the start and the other at the end. Additionally, the username “wiener” and password were being shown in the request, which are the credentials we had just reset.
Next, we modified the request by removing the tokens and replacing the username “wiener” with “carlos,” who was our victim. After submitting the modified request, we received a 302 response from the server. We then attempted to log in using Carlos’s username and the new password we had just reset, and we were successful.
In summary, we exploited the password reset broken logic vulnerability by intercepting and modifying the post-based request in Burp Suite, removing the tokens and changing the username to that of our victim, allowing us to reset the victim’s password and gain access to their account.