While the world is moving more and more towards the digital ecosystem, the goal is to make life easier for everyone so that people can connect and communicate with each other through a secured channel. People come online for different purposes, it can be for buying products, transferring money, acquiring knowledge, etc. Hence, security and privacy become a key concern for everyone. There are lots of ways which can lead to security breach, below we’ll elaborate one of them.
Objective – Our purpose behind this article is to demonstrate to how to assess the websites for vulnerabilities and not exploiting it for nefarious activities.
Scenario – Consider a common scenario where a user forgets his/her Account’s password and he/she has to reset the password using an auto generating OTP mechanism where the user can request an OTP on his/her registered mobile number by entering UserID and clicking on the ‘forgot password’ button.
If this mechanism does not have a limit on the number of attempts the attacker can do basic brute force to verify the OTP and eventually take over the account.
So, we’ll assess the Reset password mechanism for the maximum number of attempts a user gets to verify his/her OTP so that it doesn’t lead to hostile account takeover.
Tools you will need:
- Vulnerability Scanner – Burp Suite Professional is an advanced set of tools for assessing web security, all within a single product.
- Browser – Mozilla firefox.
Configure your browser so that all it’s requests go through Burp suite.
Step 1: Set the site map in Burp suite.
- Open Burp suite Go to ‘Proxy’ >> Intercept >> Click on intercept button.
- Go to browser >> Enter the target website example.com >> press Enter.
- Go to Burp suite(A request will appear on Burp suite)
- Left click on request>>go to ‘Send to Spider’> Go to ‘Target’>>Go to example.com>> Spider this host.
- Left click on example.com >>Go to spider this host.
- Everything set! Your website is ready to go under the scanner. The spider will crawl(find) on all the pages of the website. For example – https://www.yourwebsite.com
- Similar to other websites & APIs your website too will have forgot password link which redirects to reset password page.
- On this webpage users need to hit the “reset” button(don’t forget to turn on the intercept before pressing the reset button) and they’ll receive a 6-digit otp on their registered mobile number(mobile has to register during the signup process). The user has to enter the otp in order to login into the account and set a new password.
- In the HTTP request look for the URL parameter for otp.
Step 2: Testing the password reset page.
Test the page by entering the wrong OTP and intercepting that request in Burp suite.
- Go to Burp suite>>left click on request>>Go to send to ‘Intruder’.
- Go to ‘Payloads’>>select Payload option ‘Numbers’>> select range (just an assumption)form:-stating limit(500001) to:-ending limit(600000)>>step=’1’.
- This means we are about to hit 100000 different OTPs on the target parameter(just an eg.)
- Go to ‘Intruder’>>Go to ‘Positions’>>click ‘Clear’>>select the attacking parameter(i.e otpformobile in this case) >>click ‘Add’>>select ‘Attack type:’ ‘sniper’.>>Start attack
- After the attack starts, all the OTPs are showing 200 status codes(ie.request succeeded) which concludes no rate limit on the OTP parameter, which means we can enter multiple OTPs until we get the correct OTP.
- This is a very serious mistake a developer can make, we observe that out of 100000 OTPs the correct OTP was having a unique length then the rest of OTPs in the intruder.
- The OTP having length 521 was the correct OTP in the above example(You can verify since you would have received it on your mobile number).
- Once someone has this OTP, the account can be taken over easily.
Following are the possible ways you can fix this loophole in your Reset Password mechanism –
- Sending via email id – Conclusion from this experience is, if someone wants to reset the password of his/her account, we should directly send the password reset link on the users gmail account and ask the user to goto his/her gmail account and reset the password from that link.
- Retry Mechanism – If we are taking OTP as a password reset mechanism then we must apply a rate limit to it. Probably 1 attempt and maximum 4 attempts, after failing the 4th attempt the OTP which was sent to the end user has to be discarded. Then the user has to request for fresh OTP which will again have 4 attempts only.
- Time Based OTP – In order to make the OTP more secure, the rate limit can be combined with a time limit too. Once an OTP is requested by the user, the user will have 4 attempts and 60 seconds or 100 seconds to use all his 4 attempts. After failing, the user has to request fresh OTP again.
Sankey CyberTech Solutions (SCS) is the Cyber Security division of Sankey Solutions. SCS will provide Security & Assessment across various layers of your application architecture. We provide a security framework via range of services that encompasses technical layers of architecture which can help businesses to take reactive and proactive measures in order to safeguard their platforms.Find out more