Menu Icon

Cobalt Vulnerability Wiki

Cobalt Vulnerability Wiki

Categories

Toggle Arrow IconV2 - AuthenticationToggle Arrow IconV3 - Session ManagementToggle Arrow IconV4 - Access Control
Account takeover via "Forgot your password" functionality Admin panel publicly accessible Admin panel takeover AWS bucket misconfiguration Critically Sensitive Data - Password Disclosure Critically Sensitive Data - Private API KeysCSRF Database Management System (DBMS) Misconfiguration:Excessively Privileged User / DBA Directory Listing Enabled EXIF Geolocation Data Not Stripped From Uploaded Images - User Enumeration Insecure crossdomain.xml policy OAuth Account Takeover OAuth Insecure Redirect URI OAuth Missing/Broken State Parameter Sensitive Token in URL Token Leakage via Referer Weak Password Reset Implementation - Token Leakage via Host Header Poisoning
Toggle Arrow IconV5 - Validation/SanitizationToggle Arrow IconV6 - CryptographyToggle Arrow IconV7 - Error LoggingToggle Arrow IconV8 - Data ProtectionToggle Arrow IconV9 - CommunicationsToggle Arrow IconV10 - Malicious CodeToggle Arrow IconV11 - Business LogicToggle Arrow IconV12 - Files ResourcesToggle Arrow IconV13 - APIToggle Arrow IconV14 - Config
Arrow Left

V4 - Access Control

Account takeover via "Forgot your password" functionality

POC

- Click Forgot Password


- Insert existing username or email address


- Set interception proxy and catch request to this endtpoint


- Proceed the request and check that password-reset link returned in response json body


- Go to the URL and set password for any account




Impact

High



Likelihood

High


Ready to get started?

our platformschedule a demo
Aircall logoAlgolia logoCangageCredit KarmaDattoEgnyteHubspotMovinimageMulesoftPendoSentaraSmarshSnowSolarisTalkdeskVerifoneKubraAxel SpringerNuna

Join some of these great clients we're proud to have helped