Hello everyone,
Today, I want to share my experience of discovering an account takeover (ATO) vulnerability through password reset link poisoning. While hunting for a program with millions of users — specifically, a large e-commerce company that I’ll refer to as redacted.com — I was testing the authentication functions when I encountered the ‘Request to reset your password’ feature. This function prompts users to enter an email address to receive a magic link for resetting their password.
was actually waiting for my flight at the airport when I started exploring this program. With some time to spare, I decided to dive into the program’s security. Little did I know, this casual testing session would lead to an impactful discovery! :))
Let’s start our story
SQL Injection
As there is an email parameter there is some type of database in the backend to handle these emails which makes the email parameter the best place to test for SQLI
sqlmap -r testsql --dbs --tamper=space2comment,space2morehash --batch
Parameter bruteforce:
While testing, an interesting detail caught my attention: all parameters in the request body started with dwfrm_requestpassword. This unique prefix made me curious, so I thought, 'What if I try brute-forcing these parameters with a single request?' This led me down a path of experimenting to see if any parameter manipulation could yield unexpected behavior or reveal potential vulnerabilities
First, I downloaded the parameters list from Arjun’s database using this URL: https://raw.githubusercontent.com/s0md3v/Arjun/refs/heads/master/arjun/db/large.txt. I then opened the list in Sublime Text to start customizing it for my testing approach
After opening the parameter list in Sublime Text, I used a regex replace to add dwfrm_requestpassword_ at the beginning of each line. I used ^ to target the start of each line and replaced it with this prefix. Additionally, I added =evil at the end of each parameter by using $ to match the end of each line, as shown in the screenshot. This setup allows me to test various parameter combinations with a common prefix and suffix, potentially uncovering interesting behaviors."
I copied all the modified parameters from Sublime Text and pasted them line-by-line into Burp Suite’s Repeater tool. Then, I clicked on ‘Change Body Encoding’ to ensure the parameters were properly formatted for the request. This setup allowed me to test each parameter systematically within Burp, making it easier to analyze the responses and check for any unusual behaviors or vulnerabilities.
After sending the modified requests in Burp and analyzing the responses, I received an email containing a reset password link. To my surprise, the link included my custom evil/ path. I then filtered and tested different parameters, eventually discovering that the vulnerable parameter was dwfrm_requestpassword_return. This parameter allowed me to inject custom values into the reset link, revealing a potential open redirect or injection vulnerability
I changed the value of the vulnerable dwfrm_requestpassword_return parameter to my Burp Collaborator link and sent the modified reset link to the victim. As you can see, when the victim clicks this 'magic link,' instead of simply allowing them to log in, it redirects them to my Collaborator server. This setup allows me to capture the victim's credentials or session information, demonstrating a potential open redirect or credential-stealing vulnerability
Hope you guys enjoyed the write-up
A Coffee For Me
If you like the article you can buy me a coffee here
Keep in touch
Twitter: https://twitter.com/@m0uka_dz
Linkedin: https://www.linkedin.com/in/m0uka
Instagram: https://www.instagram.com/5w1l
