Password Reset Poisoning — Attack Types and Prevention

What is a Password Reset Poisoning Attack?

Password Reset Poisoning Attacks — Common Examples

Basic Password Reset Poisoning Attack

  • The malicious user obtains a legitimate user’s username or email address and submits a password reset request on their behalf.
  • Hackers interject the HTTP request and modify the host header to point towards a malicious attacker-controlled domain, such as http://darwin-evil-site.net.
  • The site sends a reset password email to the legitimate user, which contains a password reset link and a valid password reset token. The domain name in the token’s URL points to the attacker-controlled host, such as https://darwin-evil-site.net/reset?token=0a1b2c3d4e5f6g7h8i9j.
  • If the victim clicks this link, a password reset token is sent to the hacker’s host.
  • The attacker visits the vulnerable application/web server and uses the relevant query parameter to submit the password token. The attacker can then reset the user’s password to their chosen value and take over the registered user’s account.

Password Reset Poisoning via Dangling Markup

Password Reset Poisoning — Severity Level

Identifying Password Reset Vulnerabilities with Crashtest Security

Password Reset Attack Prevention Methods

Offline Security Reinforcement of Password Reset Functionality

Administer Strong Password Reset URL Tokens

Security Questions

Vulnerability Scanning and Penetration Testing

Detecting Password Reset Vulnerabilities with Crashtest Security

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store