Information disclosure (reset password token) and changing the user's password

From Hackipedia
Jump to: navigation, search
Hackerone #738
Target: Hackerone
Target Module:
Type: CSRF
Payload:
Original: Link
CVE:
Archive

Many password reset services take advantage of an link emailed to the user account. The link will contain a parameter that is unique to the request and will lead you to a page to insert a new password. If that page contains links to third party sites the web application may be leaking this unique password reset key via the Referrer HTTP header.

How To Perform

  1. Create account
  2. Perform password reset procedure
  3. Check reset page for links to third party sites.
    1. Check the network traffic to ensure the Referrer is being passed.