Password retrieve logic vulnerability summary-vulnerability warning-the black bar safety net

2015-03-10T00:00:00
ID MYHACK58:62201559769
Type myhack58
Reporter 佚名
Modified 2015-03-10T00:00:00

Description

0x00 background description


Please note these two articles:

Password retrieve function there may be a problem

Password retrieve function there may be issues supplemented

From the above two documents the past six months, recently finishing a password to get back to the mind map, open the collection case, and the emergence of some new situations, here together will all see the case summary and share to everyone, in the test according to this framework to tap!

0x01 password to retrieve the logical test of the General process


  • First try a normal password retrieve process, choose a different get back manner, recording all data packets

  • Analysis of the data packet, find the sensitive parts of the

  • Analysis of the background to retrieve the mechanism used means of verification

  • Modify the data packet to verify speculation

  • 0x02 brain figure


!

0x03 details


User credentials brute force


Four bits or six bits of pure digital example

Tick: dangdang arbitrary User Password Change vulnerability

Tick: wechat arbitrary User Password Change vulnerability

Return voucher


the url returns a code and token examples

Tick: the catwalks network show mission any password to modify the defect

Tick: every day, network any account password reset II

Password to retrieve the credentials in the page


Through the secret question to retrieve your password example

Tick: sohu mailbox to any user reset password

Return to the SMS verification code


Examples

Tick: Sina a station arbitrary user password modification code and retrieve the logical design of the improper)

Mailbox weak token


Timestamp md5 example

Tick: the odd Tiger 3 6 0 arbitrary User Password Change vulnerability

User name & server time


Tick: ZTE a website, any user of the password reset vulnerability, classic design defect cases

User credentials validity


SMS verification code examples

Tick: the OPPO phone is reset any account password(3)

Tick: the second reset OPPO mobile official website any account password in seconds, change)

Tick: OPPO modify any account password

The mailbox token


Examples

Tick: identity pass any password to modify-leakage of a large number of citizens information

Reset password token


Examples

Tick: Meizu account the system memory in vulnerability can lead to arbitrary account password reset

Re-binding


Mobile binding examples

Tick: Netease mailbox can directly modify other user's password

Tick: 1 2 3 0 8 can modify any user's password

Mailbox binding


Examples

Tick: a lottery design defects can modify any user's password

Tick: the Chinese industrial control network of any user of the password reset vulnerability

Server Authentication


The final submission step examples

Tick: Ctrip to any owner password to modify(Qing in the tick Section 1 0 0 hole)

Server to verify the controllable content


Examples

Tick: AA carpool network any password retrieve 2

Tick: Sichuan I want to go 5 1 7 travel network reset any account password vulnerability

The server authentication logic is empty


Examples

Tick: a government and enterprise use the mail system of suspected presence of a common design problem

User authentication


Account number and phone number binding

Tick: Shanghai Telecom pass any password reset

Account with the email account bound


Examples

Tick: Meizu account the system memory in vulnerability can lead to arbitrary account password reset

Tick: and the News Network to modify any user password vulnerability

Back step


Skip the verification step, the back way, directly to the set new password page example

Tick: OPPO Mobile Sync password free to modify, SMS contacts free to view

Tick: China Telecom a IDC information security management system design flaws causing the system to fall

[1] [2] next