Business Security for Web Attack and Defense: Summary of Password Recovery Security Cases
Business security refers to measures or means to protect business systems from security threats. Business security in a broad sense should include the software and hardware platforms (operating systems, databases, middleware, etc.) that run the business, the business system itself (software or equipment), and the security of services provided by the business ; business security in the narrow sense refers to the business system’s own software. and service security .
Table of contents:
Password retrieval security case summary:
The password recovery certificate can be cracked by brute force:
Password recovery credentials are returned directly to the client:
Password reset credentials are loosely associated with user accounts:
Rebind the user's mobile phone:
Server-side verification code logic flaws:
Locally verify the return information of the server----modify the return package to be verified:
Registration coverage----existing users can be registered repeatedly:
Session override method to reset other account passwords:
Measures to prevent password retrieval vulnerabilities:
Disclaimer:
It is strictly forbidden to use the technology mentioned in this article to carry out illegal attacks, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.
Password retrieval security case summary:
The password recovery certificate can be cracked by brute force:
Password recovery certificate means that during the process of password recovery, the server sends a verification code or a specially constructed URL to the user’s registered mobile phone or email address for the user’s self-identification. When lax restrictions can be bypassed, an attacker can impersonate the user to reset the password by brute -forcing the enumerated user credentials .
Password recovery credentials are returned directly to the client:
Some information systems have logical loopholes in the design of the password recovery function, and may return the password recovery credentials of the information used for user self-identification to the client in various ways . In this way, as long as the attacker grabs the data packet locally and analyzes its content, he can obtain the password recovery credentials of other users, thereby posing as the user to reset the password.
Password recovery credentials are exposed in the request link
Step 1: Enter the login site of a certain website, click Forgot Password, and choose to retrieve the password through the registered mobile phone.
Step 2: Enter the mobile phone number, click to get the verification code, and use Burp Suite to capture the packet to view the verification code in the requested link.
Step 3: Directly enter the verification code exposed in the request link to change the password.
The secret answer is hidden in the source code of the web page
Step 1: Go to a website and click the "Retrieve Password" button, and then click the "Online Appeal" link.
Step Two: Go Online. Check the source code directly on the appeal page, and find that there are not only password prompt questions in the source code, but also the answers to the questions are hidden in the Hide table. Through this method, the answer to any user's password modification question can be obtained, and the password of other users can be modified.
The SMS verification code is returned to the client: https://tianyuk.blog.csdn.net/article/details/130023416
Password reset credentials are loosely associated with user accounts:
Some information systems have defects in the verification logic of the password retrieval function. They only verify whether the password reset credential exists in the database, but do not strictly verify the binding relationship between the reset credential and the user account. This kind of logical loophole in which the password reset credential is not strictly associated with the user account allows the attacker to reset the password of other accounts by modifying the user account in the data packet.
Use your own SMS verification code to retrieve someone else's password.
Step 1: Enter the mobile phone number retrieval page, fill in your mobile phone number to retrieve the password.
Step 2: After receiving the verification code, fill in the verification code and new password to submit. At this time, use the data packet capture tool Burp Suite to capture the packet, and change the username in the data packet to another account. After submitting the post , you can set it yourself password to log in to other accounts.
Rebind the user's mobile phone:
Some information systems have an unauthorized access vulnerability in the function of binding the user's mobile phone or mailbox. Attackers can use this vulnerability to bind other users' mobile phones or mailboxes beyond their authority, and then reset their passwords through normal password retrieval methods.
Rebind the user's mobile phone
Step 1: First register a test account with a certain mailbox, and then jump to a page bound to a mobile phone.
Step 2: Note that there is a parameter in the link that is uid at this time , change the uid to someone else's email account, fill in a mobile phone number that you can control, get the verification code, and confirm that the target email has been bound beyond authority Secured cell phone.
Step 3: Go through the normal password retrieval process and find that there is an additional way to retrieve the password through the mobile phone in this mailbox. This mobile phone number is the mobile phone number just bound.
Step 4: Obtain the verification code and enter the new password, and finally successfully reset the password of the new target account.
Server-side verification code logic flaws:
There are loopholes in the server verification logic of some information systems. Attackers can modify the email sending address by deleting some parameters in the data package or skip the steps of selecting the retrieval method and identity verification, and can directly enter the reset password page and successfully reset the password. other people's passwords.
Remove parameter bypass validation
Step 1: A certain mailbox system can retrieve the password through the password prompt question.
Step 2: First fill in the password answer at random, then enter the next step to capture the packet and delete the entire field of the answer to the question before submitting.
Step 3: Due to flaws in the verification logic of the server, if the answer to the question cannot be obtained, pass the verification directly and reset the password successfully.
Email addresses can be manipulated
Step 1: There are some websites that can retrieve the password through the email address filled in during registration, but to prevent the failure of sending emails due to network instability and other factors, the password retrieval page provides the function of resending emails.
Step 2: Click to resend the email, then capture the packet with the Burp Suite tool to intercept the request, and change the email address in the data packet to the email address you tested.
Step 3: Click to enter the mailbox you tested, and click the link to reset the password successfully.
Authentication steps can be bypassed
Step 1: Enter the password recovery function of a certain website, enter the account number and verification code.
Step 2: After confirming, directly visit http://**.***.com.cn/reset/pass.do to skip the process of selecting the retrieval method and identity authentication and enter the reset password page directly.
Locally verify the return information of the server----modify the return package to be verified:
Some information systems have logical loopholes in the design of the password retrieval function. An attacker only needs to grab the return packet from the server and modify some parameters in it, skipping the verification step and directly entering the password reset page.
Modify the return package to bypass verification : https://tianyuk.blog.csdn.net/article/details/130057199
Registration coverage----existing users can be registered repeatedly:
The user registration function of some information systems does not strictly verify the existing user accounts, so that attackers can reset the passwords of other accounts by repeatedly registering other user accounts.
Step 1: Enter a website, click User Registration, enter the user name, after the mouse leaves the input box, it will prompt that the account has been registered.
Step 2: Enter an unregistered username and submit the form. At the same time, use the packet capture Burp Suite tool to intercept the data packet, and change the value of the username parameter to admin
Step 3: At this time, the password of the admin user has been modified by repeated registration, but all the information of the original user has not been modified, that is to say, the attacker has obtained all the information of the user, including: name, ID card, mobile phone number , etc.
Session override method to reset other account passwords:
There are loopholes in the server-side verification of the password recovery function of some servers. When an attacker uses the password recovery link to reset the password, he can successfully reset the passwords of other accounts through Session coverage.
Step 1: Use your own account to retrieve the password.
Step 2: Do not click on the link after receiving the email.
Step 3: Open the website in the same browser and enter the password retrieval page again, and enter the account number of another person.
Step 4: After clicking the password reset email, stop on this page.
Step 5: In the same browser, open the link received in the email in step 2, and then set a new password.
Step 6: Use the newly set password to successfully log in to someone else's account.
Measures to prevent password retrieval vulnerabilities:
(1) When designing the password retrieval function, limit the number and frequency of user credential verification to prevent attackers from brute force enumeration attacks on user credentials.
(2) Sort out all links of password retrieval, record and analyze all interaction data, and avoid sensitive information such as password retrieval credentials from being directly returned to the client.
(3) Audit the generation algorithm of the server-side password reset Token, and avoid using simple algorithms that are easy to be cracked by attackers.
(4) The password reset credential should be strictly bound to the account, and an effective time should be set to prevent attackers from resetting the passwords of other accounts by modifying the account ID.
(5) Strict verification should be carried out on the data imported by the client. Important information such as mobile phone number and email address should be checked with the information stored in the background data, and should not be directly used from the parameters passed in by the client. Prevent attackers from resetting passwords of other accounts by tampering with incoming data.
(6) Audit business logic such as user registration and mobile phone mailbox binding to prevent attackers from indirectly resetting other account passwords through loopholes such as repeated user registration and unauthorized binding.
Books to learn: A Practical Guide to Web Attack and Defense Business Security.