Password Reset Poisoning Attacks and How to Prevent Them

Image by Gerd Altmann from Pixabay

Passwords are used as the first line of defense for both frontend and backend security. Among the most commonly exploited components is the password reset functionality. An attacker can manipulate the password reset token so that it is sent to a domain they control. In this article, we discuss the severity of a password reset poisoning vulnerability and how it can be prevented.

An overview of Password Reset Poisoning Attack

When an attacker launches a password reset poisoning attack, the host server generates a malicious password reset URL, which is forwarded to an attacker-controlled server. As a result of these attacks, a user’s domain can be overwritten by the attacker, allowing him to overwrite the address that the host sends to him. Because the server dynamically generates an HTTP referer header based on user input, a threat actor can alter the information in the header without a validating host header.

Examples of Password Reset Poisoning Attack

  • Basic Password Reset Poisoning Attack

In instances where hosts generate password reset URLs based on user-controllable host headers, attackers can perform a simple password reset poisoning attack.

By obtaining a user’s username or email address, a malicious user can reset a password on their behalf. By interjecting the HTTP request with a malicious attacker-controlled domain header, hackers attempt to redirect the HTTP request. Valid password reset tokens and a password reset link is sent by email to the legitimate user. The hacker will receive a password reset token if the victim clicks this link.

  • Password Reset Poisoning via Dangling Markup

The dangling markup attack is generally used to gain access to accounts. Attackers can exploit dangling markups to include malicious links by parsing them until the expected terminating declaration is encountered on a page. Using this attack, one must have a website with dangling HTML markup in its sinks.

Severity Level

Attacks involving password reset poisoning are mostly aimed at stealing legitimate user accounts and performing actions based on their permissions. Hacker-powered security tools often exploit this low-hanging fruit as a trivial attack. Security and software teams must apply a clean-slate approach to prevent exploits since there is no official or permanent fix.

Methods for prevention

  • Retaining the ability to reset your password offline

Rather than requiring a server-side identifier for an offline password reset, we recommend an offline identifier instead. The backend server uses an offline identifier to verify legitimate account holders attempting to reset their passwords when they register for an account. Authentication should occur using general credential security practices, as well as offline identifiers being kept securely.

  • Set up and administer strong password reset URLs

In a password recovery link, the authentication server typically passes a valid token. These tokens are usually emailed to the registered user and are valid for a limited time, after which a new password must be generated. Providing strong, cryptographically unique schemes to reduce the predictability of URL tokens will prevent them from being abused through cross-site request forgery.

  • Security Questions

Password reset requests often include security questions. Security questions must, however, be combined with other security mechanisms to prevent easy exploits, as attackers can obtain answers through a random guess or brute force attack.

  • Testing for vulnerabilities and penetration

Developers and security professionals can identify intrinsic vulnerabilities before attackers exploit them. Performing penetration tests helps application development teams analyze security flaws in depth while gaining a better understanding of how malicious actors exploit them. Moreover, the implementation of an appropriately administered penetration testing mechanism can help improve the detection of password reset attempts by adding additional sanity checks.