Hacktricks-skills password-reset-bypass-testing

Security testing skill for identifying password reset vulnerabilities. Use this skill whenever the user needs to test password reset functionality for security flaws, audit authentication flows, or assess reset token security. Trigger on requests about password reset testing, authentication bypass, token leakage, reset endpoint security, or any password recovery mechanism assessment. Make sure to use this skill for any pentesting task involving password reset flows, even if the user doesn't explicitly mention 'password reset' but describes authentication or account recovery testing.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/pentesting-web/reset-password/SKILL.MD

source content

Password Reset Bypass Testing

A comprehensive skill for security researchers and penetration testers to identify and test password reset vulnerabilities in web applications.

When to Use This Skill

Use this skill when:

Testing password reset functionality for security vulnerabilities
Auditing authentication and account recovery flows
Assessing reset token generation and validation mechanisms
Evaluating password change endpoints for bypass vulnerabilities
Reviewing session management during password reset operations
Testing for account takeover via password reset mechanisms

Testing Methodology

1. Password Reset Token Leak Via Referrer

What to test: Check if password reset tokens leak through HTTP Referer headers when users navigate to third-party sites.

Testing steps:

Request a password reset to your test email address
Click the reset link provided in the email
Do not change your password yet
Navigate to a third-party website (e.g., example.com) while intercepting requests with Burp Suite
Inspect the Referer header to see if it contains the password reset token

What to look for:

Token in URL query parameters (e.g.,
```
?token=abc123
```
)
Token in URL path segments
Any sensitive data in the Referer header

Impact: Account takeover via CSRF attacks if third parties can capture the token.

2. Password Reset Poisoning

What to test: Check if the application uses the Host header to construct password reset URLs.

Testing steps:

Intercept the password reset request
Modify the Host header to point to your controlled domain
Submit the request and check the reset email
Verify if the reset link points to your malicious domain

Example:

POST /resetPassword HTTP/1.1
Host: attacker.com
Content-Type: application/x-www-form-urlencoded

email=victim@example.com

What to look for:

Reset links pointing to attacker-controlled domains

Use of

$_SERVER['HTTP_HOST']

instead of

$_SERVER['SERVER_NAME']

Mitigation: Validate Host header against whitelist, use server-side URL generation.

3. Email Parameter Manipulation

What to test: Check if additional email parameters can divert reset links to attacker emails.

Testing variations:

Technique	Example
Multiple parameters	`email=victim@email.com&email=attacker@email.com`
Space separator	`email=victim@email.com%20email=attacker@email.com`
Pipe separator	`email=victim@email.com
CC injection	`email="victim@mail.tld%0a%0dcc:attacker@mail.tld"`
BCC injection	`email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"`
Comma separator	`email="victim@mail.tld",email="attacker@mail.tld"`
JSON array	`{"email":["victim@mail.tld","attacker@mail.tld"]}`

What to look for:

Multiple reset emails sent
Reset link sent to attacker email
Application processing all email parameters

4. API Parameter Manipulation

What to test: Check if email/password parameters in API requests can be modified to change account credentials.

Testing steps:

Intercept password change API requests
Modify the email parameter to target a different account
Submit the request and verify if the password was changed

Example:

POST /api/changepass
Content-Type: application/json

{"form": {"email":"victim@email.tld","password":"12345678"}}

What to look for:

Password changed for different user than authenticated user
Missing ownership verification

5. Rate Limiting Assessment

What to test: Check for lack of rate limiting on password reset requests.

Testing steps:

Send multiple password reset requests in quick succession
Monitor for email bombing (user receiving many reset emails)
Check for account lockout or CAPTCHA challenges

What to look for:

No rate limiting based on IP or account
No CAPTCHA after multiple attempts
Ability to spam users with reset emails

6. Token Generation Analysis

What to test: Understand how password reset tokens are generated to assess predictability.

Common patterns to check:

Based on timestamp
Based on UserID
Based on email address
Based on user attributes (name, DOB)
Based on weak cryptography

Testing tools:

Use Burp Sequencer to analyze token randomness
Use guidtool for UUID analysis

What to look for:

Predictable patterns in tokens
Version 1 UUIDs (time-based, potentially guessable)
Short token length (< 128 bits)
Low entropy in token generation

7. Token Expiration Testing

What to test: Check if expired tokens can still be used for password reset.

Testing steps:

Request a password reset and obtain a valid token
Wait for the token to expire (check documentation or test various timeframes)
Attempt to use the expired token

What to look for:

Expired tokens still accepted
No server-side expiration validation
Inconsistent expiration enforcement

8. Brute Force Token Testing

What to test: Check if reset tokens can be brute-forced.

Testing steps:

Analyze token format and length
Use tools like Burp Suite with IP rotator to bypass rate limits
Attempt to guess valid tokens

What to look for:

Short token length
Predictable token format
No rate limiting on token validation
No account lockout after failed attempts

9. Token Cross-User Testing

What to test: Check if an attacker's reset token can be used with a victim's email.

Testing steps:

Request password reset for attacker's account
Obtain the reset token
Attempt to use attacker's token with victim's email address

What to look for:

Token not bound to specific user
Token validation only checks format, not ownership

10. Session Invalidation Testing

What to test: Check if sessions are properly invalidated after password reset.

Testing steps:

Log in to a test account
Request and complete a password reset
Check if the original session remains valid
Verify if all sessions are invalidated

What to look for:

Old sessions remain active after password change
No session invalidation on logout
Session tokens not rotated after password reset

11. OTP Rate Limit Bypass

What to test: Check if OTP rate limits can be bypassed by changing sessions.

Testing steps:

Request password reset with OTP
Attempt multiple wrong OTP guesses until rate limited
Request a new session token
Continue guessing with new session

What to look for:

Rate limiting based only on session, not IP/account
Weak OTP (≤ 4 digits)
No persistent rate limiting across sessions

12. skipOldPwdCheck Vulnerability

What to test: Check for password change endpoints that skip old password verification.

Testing steps:

Look for password change endpoints with action parameters
Test if
```
skipOldPwdCheck=true
```
or similar parameters can be added
Attempt to change password without providing old password or reset token

Example vulnerable pattern:

POST /hub/rpwd.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=change_password&user_name=admin&confirm_new_password=NewP@ssw0rd!

What to look for:

Password change without authentication
Missing token verification
skipOldPwdCheck or similar bypass parameters

13. Registration-as-Password-Reset (Upsert)

What to test: Check if registration endpoint updates existing users instead of rejecting.

Testing steps:

Attempt to register with an existing email address
Provide a new password in the registration request
Check if the existing user's password was updated

Example:

POST /api/register
Content-Type: application/json

{"email":"victim@example.com","password":"New@12345"}

What to look for:

Registration succeeds with existing email
Existing user's password is overwritten
No duplicate email validation

Reporting Findings

When documenting vulnerabilities, include:

Vulnerability type (e.g., "Password Reset Token Leak via Referrer")
Affected endpoint (URL and HTTP method)
Request/Response examples showing the vulnerability
Impact assessment (e.g., "Full account takeover possible")
Mitigation recommendations
References to similar vulnerabilities or CVEs

Mitigation Guidelines

General Recommendations

Use strong, cryptographic token generation (≥ 128 bits of entropy)
Implement server-side token validation with expiration
Bind tokens to user sessions and IP addresses
Implement rate limiting on reset requests and token validation
Invalidate all sessions after password change
Use HTTPS for all authentication-related endpoints
Implement proper input validation and output encoding

Specific Mitigations

Vulnerability	Mitigation
Token leak via referrer	Use POST requests, not GET; remove tokens from URLs
Host header poisoning	Validate Host header; use `$_SERVER['SERVER_NAME']`
Email parameter manipulation	Parse and validate email parameters server-side
Rate limiting bypass	Implement persistent rate limiting across sessions
Token brute force	Use long, random tokens; implement account lockout
Session invalidation	Invalidate all sessions on password change
Upsert registration	Check for existing email before registration

References

Test Cases

Use these test prompts to validate the skill:

"Test the password reset functionality at https://example.com/reset for token leakage via referrer header"
"Check if the password reset endpoint at /api/resetPassword is vulnerable to email parameter manipulation"
"Assess the password reset token generation for predictability and brute-force resistance"
"Verify if sessions are properly invalidated after password reset on the application"
"Test for registration-as-password-reset vulnerability on the signup endpoint"