Business Security for Web Attack and Defense: Password Recovery Process Bypass Test
Business security refers to measures or means to protect business systems from security threats. Business security in a broad sense should include the software and hardware platforms (operating systems, databases, middleware, etc.) that run the business, the business system itself (software or equipment), and the security of services provided by the business ; business security in the narrow sense refers to the business system’s own software. and service security .
Table of contents:
Password recovery process bypass test:
Disclaimer:
It is strictly forbidden to use the technology mentioned in this article to carry out illegal attacks, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.
Password recovery process bypass test:
Test principle and method:
The password recovery function of many websites generally has the following steps:
(1) The user enters the account number to retrieve the password.
(2) Verification certificate: Send a SMS verification code or a link to retrieve the password to the user, and the user will fill in the verification code or click the link to enter the password reset page, so as to prove that the current operation is the owner of the account.
(3) After the verification is successful, enter the reset password page.
In the logic of retrieving the password, the second step of verifying the certificate is the most important, and the owner of the account cannot receive the verification certificate. Just imagine if there is a way to pass the second step to verify the credentials and go directly to the third step to reset the password. To change the password, the user needs to send a password change request to the server, and the server can change the corresponding password in the database after passing it. Therefore, in the test, we first need to collect the request interface of the three steps, and the key point is to collect the interface for resetting the password in the last step. We can directly skip the interface of credential verification and try to reset the password directly.
Testing process:
Step 1: First register an account of your own to test all the processes. Enter your account first in the password retrieval page, click the Next button, and enter the password retrieval page. The RUL is GET/account/findPassword.html
Step 2: Enter the credential verification process, use your own account here, so get the verification credential directly, enter it and click Next. The verification certificate URL for the second step is GET/forgetpwd/findPassNext.do
Step 3: After passing the verification, you can enter the third step to reset the password. The verification certificate URL for the third step is GET/forgetpwd/cmailValidateNext.do
Step 4: Retrieve the password through all the normal procedures of using your own account, and we also get all the URLs as follows:
(1) GET/account/findPassword.html //Enter user account page
(2) GET/forgetpwd/findPassNext.do //Verification code identity page
(3) GET/forgetpwd/cmailValidateNext.do //Setting a new password page
Step 5: We can try to enter the identity verification page in the second step after entering the account number in the first step, directly modify the URL on this page to the URL in the third step, and visit to see if you can directly enter the password reset page. If so, there is a risk of bypassing the password recovery process.
Repair suggestion:
To prevent skipping the verification step, it must be determined in the back-end logic verification that the previous process has been completed.
Books to learn: A Practical Guide to Web Attack and Defense Business Security.