Skip to content

Predictable Reset Token

Description

Write Up: Guillaume
Créateur: WOCSA
Difficulté: Inconnu

Enoncé

This vulnerability allows any malicious user to reset the password of a user without its agreement.

The only information needed is the username of the account to reset.

Solution détaillée

![[Pasted image 20240504101525.png]]

Report Title: Predictable Reset Token

Bug details

Bug Type: Weak Password Mechanism for Forgotten Password (CWE-640) Scope: *.3xploit.me Endpoint: http://vu9piqbr.3xploit.me/reset_password/md5(user) Vulnerable part: get-parameter Payload: md5(user) Technical environment: Framework ???

Bug characteristics

Attack Vector:Network Privileges Required: NONE Scope: UNCHANGED Integrity: LOW Attack Complexity:LOW User Interaction: NONE Confidentiality: HIGH Availability:NONE

## Description
When a user want to reset his password, the last part of the URL is his md5 username.

## Exploitation
In JWT token user is identified by a incremental ID, which start to 1, this leak datas, like numbers of user or the user date creation 

## PoC
For exemple we can chain with the bruteforce token , and enumerate ATO every user because of this ID generation, we guess that ```"user_id": 1``` will be the administrator


## Remediation
Use UUIDv4 for identify user

![[Pasted image 20240504134555.png]]