Skip to main content
Information Security

Return to Question

added 22 characters in body
Source Link
schroeder
schroeder
  • 134.3k
  • 55
  • 310
  • 357

I'm confused about how to implement password reset functionality. I'm testing a Web application with two roles - administrator and normal user. Only administrators can use the password reset functionality (not has MFLAC).

This function find a user and load a view with basic data, for example "TEST_USER" with e-mail "[email protected]". The fields doesdo not have the "readonly" attribute, so they can be modified by the administrator. When the user clicks the button "Reset" the application sends an email to "TEST_USER" with a URL (https://host.com/resetPassword.aspx?token=TOKEN).

The link loads a page with two fields, "new password" and "verify new password". Here I succesfullysuccessfully changed the password and completed the process.

If an attacker changechanges the value in the field "e-mail" and enterenters "[email protected]" then the applicacionapplication will send the link to the attacker, thereby letting the attacker change the password. Is imporntantIt is important to mention that this function is suceptiblesusceptible to CSRF because it does not hashave a token.

So I think that this is a vulnerability because an attacker or administrator can change the e-mail and reset the password for any user without them knowing about it. Using CSRF an attacker can send a malicious URL that resets the password to an administrator.

So I think that this is not a correct way to implement this functionality because I have heard that a good practice is sending only a token to the email address. 

I think that the correct way to do this would be:

  1. Assure that the e-mail address belongs to the user whoswhose password is being reset.
  2. You should send only one token instead of an URL.
  3. In the page ResetPassword.aspx paste the token.
  4. Verify the user with security questions.
  5. Let the user fill in "new password" and "verify new password"

Is this a vulnerability? Is this the correct way to implement this funcionalityfunctionality?

I'm confused about how to implement password reset functionality. I'm testing a Web application with two roles - administrator and normal user. Only administrators can use the password reset functionality (not has MFLAC).

This function find a user and load a view with basic data, for example "TEST_USER" with e-mail "[email protected]". The fields does not have the "readonly" attribute, so they can be modified by the administrator. When the user clicks the button "Reset" the application sends an email to "TEST_USER" with a URL (https://host.com/resetPassword.aspx?token=TOKEN).

The link loads a page with two fields, "new password" and "verify new password". Here I succesfully changed the password and completed the process.

If an attacker change the value in the field "e-mail" and enter "[email protected]" then the applicacion will send the link to the attacker, thereby letting the attacker change the password. Is imporntant mention that this function is suceptible to CSRF because not has a token.

So I think that this is a vulnerability because an attacker or administrator can change the e-mail and reset the password for any user without them knowing about it. Using CSRF an attacker can send a malicious URL that resets the password to an administrator.

So I think that this is not a correct way to implement this functionality because I have heard that a good practice is sending only a token to the email address. I think that the correct way to do this would be:

  1. Assure that the e-mail address belongs to the user whos password is being reset.
  2. You should send only one token instead of an URL.
  3. In the page ResetPassword.aspx paste the token.
  4. Verify the user with security questions.
  5. Let the user fill in "new password" and "verify new password"

Is this a vulnerability? Is this the correct way to implement this funcionality?

I'm confused about how to implement password reset functionality. I'm testing a Web application with two roles - administrator and normal user. Only administrators can use the password reset functionality (not has MFLAC).

This function find a user and load a view with basic data, for example "TEST_USER" with e-mail "[email protected]". The fields do not have the "readonly" attribute, so they can be modified by the administrator. When the user clicks the button "Reset" the application sends an email to "TEST_USER" with a URL (https://host.com/resetPassword.aspx?token=TOKEN).

The link loads a page with two fields, "new password" and "verify new password". Here I successfully changed the password and completed the process.

If an attacker changes the value in the field "e-mail" and enters "[email protected]" then the application will send the link to the attacker, thereby letting the attacker change the password. It is important to mention that this function is susceptible to CSRF because it does not have a token.

So I think that this is a vulnerability because an attacker or administrator can change the e-mail and reset the password for any user without them knowing about it. Using CSRF an attacker can send a malicious URL that resets the password to an administrator.

So I think that this is not a correct way to implement this functionality because I have heard that a good practice is sending only a token to the email address. 

I think that the correct way to do this would be:

  1. Assure that the e-mail address belongs to the user whose password is being reset.
  2. You should send only one token instead of an URL.
  3. In the page ResetPassword.aspx paste the token.
  4. Verify the user with security questions.
  5. Let the user fill in "new password" and "verify new password"

Is this a vulnerability? Is this the correct way to implement this functionality?

added 52 characters in body
Source Link
Jorge
Jorge
  • 51
  • 6

I'm confused about how to implement password reset functionality. I'm testing a Web application with two roles - administrator and normal user. Only administrators can use the password reset functionality (not has MFLAC).

This function find a user and load a view with basic data, for example "TEST_USER" with e-mail "[email protected]". The fields does not have the "readonly" attribute, so they can be modified by the administrator. When the user clicks the button "Reset" the application sends an email to "TEST_USER" with a URL (https://host.com/resetPassword.aspx?token=TOKEN).

The link loads a page with two fields, "new password" and "verify new password". Here I succesfully changed the password and completed the process.

If an attacker change the value in the field "e-mail" and enter "[email protected]" then the applicacion will send the link to the attacker, thereby letting the attacker change the password. Is imporntant mention that this function is suceptible to CSRF because not has a token.

So I think that this is a vulnerability because an attacker or administrator can change the e-mail and reset the password for any user without them knowing about it. Using CSRF an attacker can send a malicious URL that resets the password to an administrator.

AlsoSo I think that this is not a correct way to implement this functionality because the tokenI have heard that a good practice is sentsending only a token to the email address. I think that the correct way to do this would be:

  1. Assure that the e-mail address belongs to the user whos password is being reset.
  2. In the e-mail,You should send only theone token instead of an URL.
  3. In the page ResetPassword.aspx paste the token.
  4. Verify the user with security questions.
  5. Let the user fill in "new password" and "verify new password"

Is this a vulnerability? Is this the correct way to implement this funcionality?

I'm confused about how to implement password reset functionality. I'm testing a Web application with two roles - administrator and normal user. Only administrators can use the password reset functionality (not has MFLAC).

This function find a user and load a view with basic data, for example "TEST_USER" with e-mail "[email protected]". The fields does not have the "readonly" attribute, so they can be modified by the administrator. When the user clicks the button "Reset" the application sends an email to "TEST_USER" with a URL (https://host.com/resetPassword.aspx?token=TOKEN).

The link loads a page with two fields, "new password" and "verify new password". Here I succesfully changed the password and completed the process.

If an attacker change the value in the field "e-mail" and enter "[email protected]" then the applicacion will send the link to the attacker, thereby letting the attacker change the password. Is imporntant mention that this function is suceptible to CSRF because not has a token.

So I think that this is a vulnerability because an attacker or administrator can change the e-mail and reset the password for any user without them knowing about it. Using CSRF an attacker can send a malicious URL that resets the password to an administrator.

Also I think that this is not a correct way to implement this functionality because the token is sent to the email address. I think that the correct way to do this would be:

  1. Assure that the e-mail address belongs to the user whos password is being reset.
  2. In the e-mail, send only the token.
  3. In the page ResetPassword.aspx paste the token.
  4. Verify the user with security questions.
  5. Let the user fill in "new password" and "verify new password"

Is this a vulnerability? Is this the correct way to implement this funcionality?

I'm confused about how to implement password reset functionality. I'm testing a Web application with two roles - administrator and normal user. Only administrators can use the password reset functionality (not has MFLAC).

This function find a user and load a view with basic data, for example "TEST_USER" with e-mail "[email protected]". The fields does not have the "readonly" attribute, so they can be modified by the administrator. When the user clicks the button "Reset" the application sends an email to "TEST_USER" with a URL (https://host.com/resetPassword.aspx?token=TOKEN).

The link loads a page with two fields, "new password" and "verify new password". Here I succesfully changed the password and completed the process.

If an attacker change the value in the field "e-mail" and enter "[email protected]" then the applicacion will send the link to the attacker, thereby letting the attacker change the password. Is imporntant mention that this function is suceptible to CSRF because not has a token.

So I think that this is a vulnerability because an attacker or administrator can change the e-mail and reset the password for any user without them knowing about it. Using CSRF an attacker can send a malicious URL that resets the password to an administrator.

So I think that this is not a correct way to implement this functionality because I have heard that a good practice is sending only a token to the email address. I think that the correct way to do this would be:

  1. Assure that the e-mail address belongs to the user whos password is being reset.
  2. You should send only one token instead of an URL.
  3. In the page ResetPassword.aspx paste the token.
  4. Verify the user with security questions.
  5. Let the user fill in "new password" and "verify new password"

Is this a vulnerability? Is this the correct way to implement this funcionality?

deleted 422 characters in body; edited tags; edited title
Source Link
Anders
Anders
  • 65.9k
  • 25
  • 188
  • 227

Reset Password Functionality Is it bad to let admins change a users e-mail when resetting passwords?

I'm confused about thehow to implement password reset functionality reset password,. I'm testing a Web application with two Rolesroles (Administrator and Normal User), only the- administrator and normal user. Only administrators can use the password reset functionality "Reset Password" (not has MFLAC) this.

This function find a user and load data in thea view with basic data and E-mail (for, for example TEST_USER"TEST_USER" with Ee-mail [email protected]) this field"[email protected]". The fields does not hashave the "readonly" attribute(this, so they can be modifymodified by the administrator), when. When the user selectclicks the button "Reset" the application send a mail that belongssends an email to TEST_USER and recived in your mail account a message"TEST_USER" with a URL (https://host.com/resetPassword.aspx?token=TOKENhttps://host.com/resetPassword.aspx?token=TOKEN) when open the URL load the.

The link loads a page "RESET PASSWORD" with Only twotwo fields "New Password, "new password" and Verifi New Password" here"verify new password". Here I succesfully changed the password and successfulcompleted the process.

Then ifIf an attacker change the value in the field E-mail"e-mail" and use [email protected]enter "[email protected]" then the applicacion will send the requestlink to reset password for the user TEST_USER to [email protected] and continue with normal process and a finallyattacker, thereby letting the attacker change the password. Is imporntant mention that this function is suceptible to CSRF because not has a token.

So I think that this is a vulnerabilyvulnerability because an attacker or administrator can change the Ee-mail and reset the password for any users without the user know of this acction, and using thewithout them knowing about it. Using CSRF an attacker can send a URL malicious to a User with role "Administrator" make this request and changeURL that resets the password to an administrator. 

Also I think that this is not a correct way to implement athis functionality because send the token intoken is sent to the email address.

Also I think that the correct functionality isway to do this would be:

  1. Assure that the Ee-mail address belongs to the user that require the functionalitywhos password is being reset.
  2. In the e-mail, send only the token.
  3. In the page ResetPassword.aspxResetPassword.aspx paste the token.
  4. Assure to verifyVerify the user with security questions.
  5. WriteLet the New Passworduser fill in "new password" and Verifi New Password"verify new password"

This isIs this a vulnerabilyvulnerability? This is Is this the correct way to solutionimplement this functionalityfuncionality?

I was disputed because the functionality only use an "Administrator" and they suppose that this is a normal functionality for this role and only I must considere CSRF in this functionality.

Thank you for your attention, good day.

Reset Password Functionality

I'm confused about the functionality reset password, I'm testing a Web application with two Roles (Administrator and Normal User), only the administrator can use the functionality "Reset Password" (not has MFLAC) this function find a user and load data in the view with basic data and E-mail (for example TEST_USER with E-mail [email protected]) this field not has the "readonly" attribute(this can be modify by the administrator), when the user select the button "Reset" the application send a mail that belongs to TEST_USER and recived in your mail account a message with a URL (https://host.com/resetPassword.aspx?token=TOKEN) when open the URL load the page "RESET PASSWORD" with Only two fields "New Password and Verifi New Password" here I changed the password and successful the process.

Then if an attacker change the value in the field E-mail and use [email protected] then the applicacion send the request to reset password for the user TEST_USER to [email protected] and continue with normal process and a finally change the password. Is imporntant mention that this function is suceptible to CSRF because not has a token.

So I think that this is a vulnerabily because an attacker or administrator can change the E-mail and reset password for any users without the user know of this acction, and using the CSRF an attacker can send a URL malicious to a User with role "Administrator" make this request and change the password. Also I think that is not a correct way to implement a functionality because send the token in the email address.

Also I think that the correct functionality is:

  1. Assure that the E-mail address belongs the user that require the functionality
  2. In the e-mail send only the token
  3. In the page ResetPassword.aspx paste the token
  4. Assure to verify the user with security questions
  5. Write the New Password and Verifi New Password

This is a vulnerabily? This is the correct way to solution this functionality?

I was disputed because the functionality only use an "Administrator" and they suppose that this is a normal functionality for this role and only I must considere CSRF in this functionality.

Thank you for your attention, good day.

Is it bad to let admins change a users e-mail when resetting passwords?

I'm confused about how to implement password reset functionality. I'm testing a Web application with two roles - administrator and normal user. Only administrators can use the password reset functionality (not has MFLAC).

This function find a user and load a view with basic data, for example "TEST_USER" with e-mail "[email protected]". The fields does not have the "readonly" attribute, so they can be modified by the administrator. When the user clicks the button "Reset" the application sends an email to "TEST_USER" with a URL (https://host.com/resetPassword.aspx?token=TOKEN).

The link loads a page with two fields, "new password" and "verify new password". Here I succesfully changed the password and completed the process.

If an attacker change the value in the field "e-mail" and enter "[email protected]" then the applicacion will send the link to the attacker, thereby letting the attacker change the password. Is imporntant mention that this function is suceptible to CSRF because not has a token.

So I think that this is a vulnerability because an attacker or administrator can change the e-mail and reset the password for any user without them knowing about it. Using CSRF an attacker can send a malicious URL that resets the password to an administrator. 

Also I think that this is not a correct way to implement this functionality because the token is sent to the email address. I think that the correct way to do this would be:

  1. Assure that the e-mail address belongs to the user whos password is being reset.
  2. In the e-mail, send only the token.
  3. In the page ResetPassword.aspx paste the token.
  4. Verify the user with security questions.
  5. Let the user fill in "new password" and "verify new password"

Is this a vulnerability? Is this the correct way to implement this funcionality?

Source Link
Jorge
Jorge
  • 51
  • 6