Reset password of different user
Broken User Authentication
Let’s look at one more challenge from OWASP API Challenges, please red the first post for better context.
Today we will look into Challenge #3 Reset the password of a different user
Find an email address of another user on crAPI
Brute forcing might be the answer. If you face any protection mechanisms, remember to leverage the predictable nature of REST APIs to find more similar API endpoints.
Step1 Find an email address of another user on crAPI
Click on Community and see the response in Network the tab of Chrome dev tools. As you can see the API returns more than the required information, email addresses of all users who have commented.
For this example, let's use rocksolid007@blah.com
Step2 — Find an endpoint
As indicated in the challenge, this step requires Bruteforce to find the correct endpoint. As we don’t know the existing password for the user, instead of change-password, we should look forforgot-password
Endpoint — https://partner-dius-crapi.nnsworkshop.com/identity/api/auth/forget-password
Body
{
"email" : "rocksolid007@blah.com"
}Send an HTTP request using Postman or Curl
As seen above, an OTP is sent to the user’s email address. This is where MailHog an instance would come in handy.
As you can see below, we can capture the OTP generated.
MailHog is an email testing tool for developers:
- Configure your application to use MailHog for SMTP delivery
- View messages in the web UI, or retrieve them with the JSON API
- Optionally release messages to real SMTP servers for delivery
You can read more about MailHog here.
Step3 — Verify OTP
Send another HTTP request to verify OTP and set up a new password
And Voila, the password is changed.
If you enjoyed this article, please follow me on Twitter, I write about Tech & Fitness
