Ys forgot password mechanism is defective, can cause any user password is modified "high"

Documented some of the typical security issues found during the security testing process

YS The forgotten password mechanism has the flaw, may cause any user password to be modified "high"

Problem Description:

YS Web site provides user password modification function, when the user forgets the password can be used to retrieve the password, but the process of changing the password has the following problems:

1,   Phone verification code is too short (only 4 bit and is pure digital), it is easy to be violently cracked.

2,   Only through the mobile phone verification code to determine the authenticity of the user, after entering the mobile phone verification code directly on the page for password modification, rather than adopt a more secure multi-authentication method.

Test steps:

1. installationburpand starthttprequest interception function.

2,   open ys home, select" Change Password ",

3. in the Change Password dialog box, enter a user name to change the password, as shown in:

4. Click "Next", pop-up Enter the Phone Verification Code dialog box, arbitrary input an error verification code, and submit,burpwill be caught to send a verification code to the user's phonehttprequest, and sends the request to theburpof theRepeater, to be replayed later,

5. Useburpof theRepeaterfunction on thehttpmake multiple replay, modify each timeCheckcodethe value, becauseCheckcodeto be4bits of pure numbers, in the range of1-9999, so use automated methods (such asburpof theIntruderfunction) can be brute-force, which in turn gets the user'sCheckcodeas shown in the following:

6,   re-enter the correct checkcode

problem Extension:

combined with automated methods, attackers can modify The password of any user of YS.

Solution Recommendations:

1,   The user submits the phone verification code request does not need to bring the phone number and the user name and so on the information, may directly through the Query from the database to avoid malicious tampering.

2,   Provides a brute force mechanism for mobile verification code, i.e. if you try 3 " to submit a phone verification code error, immediately let the phone verification code invalidation, in addition, under normal circumstances, the phone verification code is initially valid for half an hour.

3. login or phone alerts should be given when a user's password is modified or when a user logs on offsite.

Ys forgot password mechanism is defective, can cause any user password is modified "high"