2

I'm confused about how to implement password reset functionality. I'm testing a Web application with two roles - administrator and normal user. Only administrators can use the password reset functionality (not has MFLAC).

This function find a user and load a view with basic data, for example "TEST_USER" with e-mail "test@mail.com". The fields do not have the "readonly" attribute, so they can be modified by the administrator. When the user clicks the button "Reset" the application sends an email to "TEST_USER" with a URL (https://host.com/resetPassword.aspx?token=TOKEN).

The link loads a page with two fields, "new password" and "verify new password". Here I successfully changed the password and completed the process.

If an attacker changes the value in the field "e-mail" and enters "attacker@mail.com" then the application will send the link to the attacker, thereby letting the attacker change the password. It is important to mention that this function is susceptible to CSRF because it does not have a token.

So I think that this is a vulnerability because an attacker or administrator can change the e-mail and reset the password for any user without them knowing about it. Using CSRF an attacker can send a malicious URL that resets the password to an administrator.

So I think that this is not a correct way to implement this functionality because I have heard that a good practice is sending only a token to the email address.

I think that the correct way to do this would be:

  1. Assure that the e-mail address belongs to the user whose password is being reset.
  2. You should send only one token instead of an URL.
  3. In the page ResetPassword.aspx paste the token.
  4. Verify the user with security questions.
  5. Let the user fill in "new password" and "verify new password"

Is this a vulnerability? Is this the correct way to implement this functionality?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Jorge
  • 51
  • 6
  • 1
    Is the a question about password reset in general, or a specific implementation? – K.B. Jan 09 '18 at 20:16
  • In this case in specific implementation, but for the recommendation, in general , and also I need aid for know if I have reason if this is a vulnerability or not or only CSRF – Jorge Jan 09 '18 at 20:21

2 Answers2

1

Yes, this is definitely a vulnerability. Two actually:

  1. The missing CSRF protection for a sensitive action
  2. Not requiring a password when changing an email address

The first is obvious, and you have already explained why it is bad. The second is bad because it is essentially the same as not requiring a password when changing a password (which is bad), and it obviously lets an admin take over accounts. Combining these two issues, an unauthenticated attacker could take over arbitrary accounts.

Whether the second issue is something that needs to be addressed depends on the application. It might be desired that an administrator has far-reaching permissions, including taking over other users accounts. If this isn't desired, an admin shouldn't have the option to change email addresses, only users themselves should be able to do this.

tim
  • 29,122
  • 7
  • 96
  • 120
0

Just a remark:

Verify the user with security questions.

This is an apparently good idea, that has been used many times1 to hack emails. Good passwords are hard to establish, but I have always never found good security questions that only user can know and easily remember. Just reading a public facebook page can give hints for answers to most security questions...

And do not forget, you can maybe protect your privacy from another user that only has a so called admin role. But a system admin can access the raw stored data and can change any password at any time. Simply they normally have no interest in doing that...

1 At least Sarah Palin email account was hacked that way during US campaign for presidential elections

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84