Source: https: //link.jianshu.com/ t = https:? //Www.ichunqiu.com/course/59045
Vulnerability Description:
By tampering with the user name or ID, and other codes brute modify / reset the password of any account.
Test Methods:
Step password changes are usually first check the user's original password is correct, let the user enter a new password. Change Password mechanism bypassing about the following three ways:
1. If you enter a new password interface can be accessed directly, then in the case of unknown original password to change the password directly, others usually know the name of the user to change the password to any others.
2. Change the password of a user identity if the system does not check, so when you submit a request to change the password, the attacker by entering a password, the user name or user ID to modify for other people, you can successfully change the password of others.
3. When the system needs to change the password when the confirmation e-mail or SMS, and the application does not check mail and mobile phone number entered by the user, the attacker to change the password to receive the link and fill out the verification code through your mailbox or phone number to this change passwords of others.
Password reset mechanism to bypass attacks mainly in the following two ways:
1. Obtain link to reset by normal means, guess the structure and contents deciphering link (e.g., user name or the timestamp value of MD5). In the case that others mailboxes, configuration password reset link to others.
2. In the case that the phone number of someone else, someone else's code to reset your password by exhaustive phone.
Risk factor:
[High-risk]: Other user's password is modified / reset successful
Rehabilitation program:
1. Fill a one-time check information (the original password, the new password, etc.) and then submit a request to change the password.
2. Change Password request submitted by the client, to deal with the request for verification of user identity and the identity of the user currently logged on to determine whether the right to modify the user's password and the original password is correct also be judged.
3. authentication information should not be used to receive mobile phones, email and other information transmitted to the client all of the plaintext, the phone to respond, mask processing mail and other information, or such information will be returned to the client.
4. Under the original password is verified, limiting the number of errors enter the original password, to prevent attackers from brute original password.
The cryptographic key information in the link should be reset randomized, unpredictable (e.g., token mechanism), and prohibits the return key information to the client.