Defect location: In the password reset link, the parameter Newvalidcode setting is too simple (6 digits pure number), and when sending the request, no limit, can reset any user password by blasting.
Testing process
1 The old rules, click Forget password.
2 can see, let's fill in the email address, this is also can use to log in the mailbox.
Then decisively fill in the small mailbox.
3 fill in the mailbox, click Next, the mailbox will receive the following picture, a link to reset the password. (Don't see the words on the map click to see the big picture)
4 with a small number of tests, you can get the analysis in Figure 3, the main is that Newvalidcode string in the validation.
Access links, you can see directly modify the password.
5 So the problem becomes very simple, as long as the blasting newvalidcode on it.
6 open burps, random input new password, grab bag. Note here that the address of the address bar will be newvalidcode written in any 6-digit number, because we reset the password when it is not clear how much this data.
Mailauthenid This can use their own account to reset their password to see, and then reset others, the previous number of their own to add 1 on it.
(PS: Regardless of the newvalidcode parameters, access to the link will be normal display changes to the Password page, but Newvalidcode incorrect, will not modify the password successful)
Control variable, leaving only the variable to be exploded as shown in the figure.
7 then blasting the request, you can see that there has been a noticeable change here, indicating that this is the correct password.
8 to test the changing location of the data to the address of the password will appear as shown below.
This diagram shows that the password has been modified successfully, the link to modify the password is not valid.
To use the blasting out of the password to test login, successful login.
Figure 7
Because the verification character of the Newvalidcode parameter is only 6 digits pure digit, so multithreading goes to explode, can reset the password quickly ...
Repair:
1 Newvalidcode set complex points, preferably 26 letters (case-sensitive) and a combination of 10 digits.
2 Submit a password change request under the limit, you can submit the request at the time of the verification code, or limit the daily reset error 10 times on the day can not be reset password.
3 Financial site, should be more generous, give a gift is not a problem. This loophole will be less and fewer, hey ~ ~
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
