Modern application security relies on the username-password combination as the most common approach to authenticate registered users into a digital entity. Because of its ease of implementation for most digital experiences, a password function is used to offer the first line of defense for both front and backend security. However, with the emerging threat landscape, password reset functionality is considered one of the most commonly exploited components. While attackers utilize various attacking mechanisms, one common vulnerability occurs when the average internet user mismanages or fails to secure his credentials properly. This functionality allows the user to recover their account by clicking a forget password button, which generates a password reset link. In a vulnerable application, an attacker can manipulate the password reset token and send it to a domain they control, resulting in a password reset poisoning attack.
This article discusses a password reset poisoning vulnerability, its severity, and approaches to prevent attacks.
What is a Password Reset Poisoning Attack?
In a password reset poisoning attack, the attacker manipulates the host server into generating a malicious password reset link, which sends the reset password URL to an attacker-controlled host. Such attacks are also classified as host header attacks that allow the attacker to overwrite the domain of the link that the host sends to the user. Once the user clicks this link, valid reset tokens are relayed back to the attacker, allowing them to orchestrate deeper system-level exploits.
Hackers typically take advantage of host header injection vulnerabilities to take over user accounts that are permitted to use the password reset functionality. Since the server dynamically generates an HTTP referer header based on user input, in the absence of appropriate host header validation, a threat actor can alter the input with a malicious password reset email.
Password Reset Poisoning Attacks – Common Examples
Some common mechanisms through which attackers exploit password reset vulnerabilities include:
Basic Password Reset Poisoning Attack
Attackers can construct a basic password reset poisoning attack on instances where the host server dynamically generates the reset password URL based on a user-controllable host header. The basic form of password reset poisoning attack typically goes through the following steps:
- The malicious user obtains a legitimate user’s username or email address and submits a password reset request on their behalf.
- Hackers interject the HTTP request and modify the host header to point towards a malicious attacker-controlled domain, such as http://darwin-evil-site.net.
- The site sends a reset password email to the legitimate user, which contains a password reset link and a valid password reset token. The domain name in the token’s URL points to the attacker-controlled host, such as https://darwin-evil-site.net/reset?token=0a1b2c3d4e5f6g7h8i9j.
- If the victim clicks this link, a password reset token is sent to the hacker’s host.
- The attacker visits the vulnerable application/web server and uses the relevant query parameter to submit the password token. The attacker can then reset the user’s password to their chosen value and take over the registered user’s account.
Password Reset Poisoning via Dangling Markup
Dangling markups are unfinished HTML tags on a page that allow attackers to include malicious links that are parsed until an expected terminating declaration is encountered. For example, in a vulnerable application, the attacker can modify the host header in the password reset request to trigger a reset email that delivers the new password to the server.
With the hacker’s server capturing the generated token to log into the victim’s account, a dangling markup attack is commonly used to orchestrate cross-site request forgery account takeovers. This attack can only be carried out on websites with vulnerable parser-inserted sinks containing dangling HTML markup.
Password Reset Poisoning – Severity Level
Password reset poisoning attacks mainly aim to steal legitimate user accounts and perform actions based on their permissions. The attack is trivial and is commonly exploited as a low-hanging fruit through most hacker-powered security tools. Depending on the compromised user’s account and the amount of time to detection, the consequences of an attack range from moderate to severe.
Impacts of a successful attack include:
- Complete account takeover
- Registered user account lockout
- Data breaches
- Financial fraud
- Complete system compromise in incidents where the malicious actor gains access to an administrative account
- Denial of service
- User enumeration
As the attack requires no initial privileges and can be orchestrated via minimal interaction with a normal user, the complexity score of the attack is considered low. Once the hacker has compromised a resource/subject/account, they can affect resources beyond the scope of the affected entity. While there is no official or permanent fix, prevention techniques rely on security and software teams to apply a clean-slate approach to keep exploits at bay. The vulnerability has a base CVSS and temporal score of 7.1, making it a high-ranking vulnerability in the CVSS database.
Identifying Password Reset Vulnerabilities with Crashtest Security
Crashtest Security offers a suite of automated vulnerability scanners to identify and remediate password reset flaws before attackers can exploit them. The platform’s HTTP header scanner helps identify any alterations in the host header that can be exploited to abuse the password reset function. Crashtest Security Suite also ships with a CSRF testing tool, SQL injection scanner, and command injection scanner to help remediate security gaps that can be abused to request password resets maliciously.
Crashtest Security also provides actionable security reports to help reduce the attack surface by proactively mitigating critical security issues. In addition, the platform integrates seamlessly with most modern frameworks, making it easy for organizations to administer a comprehensive vulnerability scanning mechanism into their existing workflows.
Password Reset Attack Prevention Methods
Some common approaches to prevent password reset attacks include:
Offline Security Reinforcement of Password Reset Functionality
Offline methods do not require a user to possess a server-side identifier to access the reset password functionality. Instead, an offline identifier is issued when the user registers for an account, which is then used by the backend server to authenticate legitimate users looking to reset their passwords. As a recommended approach, offline identifiers should be stored securely, and the server should follow general credential security practices when authenticating users.
Administer Strong Password Reset URL Tokens
When recovering an account, the authentication server typically passes a valid token within a query string in the password link. These tokens are usually sent to the user via email and are valid for a limited period, within which registered users are required to generate a new password. To ensure URL tokens are not abused via cross-site request forgery, developers should provision strong, cryptographically unique schemes that reduce the predictability of tokens.
The use of security questions is a common functionality for password reset requests. However, since attackers can obtain answers to most security questions through a random guess or a brute force attack, using security questions should be combined with other security mechanisms to avoid easy exploits.
Vulnerability Scanning and Penetration Testing
Automated vulnerability scanners enable developers and security professionals to uncover inherent vulnerabilities before attackers exploit them. Penetration testing helps application development teams perform in-depth security analysis while understanding how malicious actors can exploit flaws to orchestrate attacks. In addition, an appropriately administered penetration testing mechanism helps implement additional sanity checks that can help bolster the detection of password reset attempts, keeping the application free from unauthenticated account takeovers.
Detecting Password Reset Vulnerabilities with Crashtest Security
Crashtest Security offers a combination of various vulnerability scanners to enable continuous automated testing and help reduce the attack surface. In addition, the security suite integrates seamlessly across different components of a DevOps pipeline, enabling security professionals to save time and budget on administering robust security controls.
Try Crashtest Security for a free, 14-day demo and discover how the platform can help your organization detect password reset vulnerabilities within applications and APIs before they are released into production.