During the course of testing I have seen many interesting cases of Account compromise with password retest.

Usually this functionality is quite vulnerable if it has not been implemented correctly.

I am going to discuss an interesting case here which I discovered.

Scenario:

So for the sake of convenience let's say I was testing for an application called XYZ.

When a user of XYZ application, say Vivek requests password reset, the application first asks Vivek about some security questions. Vivek answers these questions correctly and a new page is returned by the application asking Vivek to reset her password. On entering the new password twice Vivek and submitting the request, he can finally use the newly set password.

The good thing here is that the application is actually asking for security questions and also validating the answers server-side. The problem was that when the second request containing the new password was sent to the Server, the username was sent along with it.

Exploitability:

An attacker, Pankh who is also a user of the application clicks on the Forgot password link.

Next Pankh answers security questions for his account. The application now trusts him to be a valid user and returns the page to enter the new password. The form asks user to enter the new password twice.

The attacker fills the form fields and submits the intercept. The attacker intercepts this request and now can modify the username value to the username of the victim (say Vivek). The images below show the original request and modified requests. The application accepts the modified request successfully and as a result the password for the Victim has been Reset without him having any idea of the attack. Hence the victim's account has been compromised.

Impact:

The victim will not be able to login to his own account with his password.

The attacker has complete control over the account. The victim's account could also be an admin account. Depending on how critical the application is, this could have serious impacts.

#photo