Replaying / intercepting a password reset POST request can allow for valid username enumeration

XMLWordPrintable

    • 1
    • Severity 3 - Minor

      Issue Summary

      Under certain conditions it's possible to enumerate valid usernames by replaying one of the password reset HTTP requests.

      Steps to Reproduce

      1. Request a password reset email
      2. Open the password reset mail and click the link to open your browser
      3. Intercept the POST request of the actual password entry saving (ie; Enter password twice and save, that is the request to capture.)
      4. Replay that post after change the email in the request URI
      5. It will validate whether that account does not exist or if it does

      Expected Results

      It should not be possible to determine valid usernames by replaying requests.

      Actual Results

      By replaying the mentioned request it is possible to confirm valid usernames.

      Workaround

      A suggestion was made 'The main problem is that the username is checked before the reset-token. It should be the other way around, so if you do not have a valid token you always get the same error message.'

            Assignee:
            Unassigned
            Reporter:
            Danny (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: