Testing Password Reset Token Predictability with the Reset-A-Tron Burp Extension
April 18, 2018
Most web applications provide a 'forgot my password' feature where a recovery or reset token is delivered to the associated account email address. Usually these emails contain a link with a random-looking token that, once clicked, results in the user being able to proceed with the recovery process. It is important to test the randomness of these reset tokens to ensure that attackers cannot forge their own and take over accounts they do not own. In this blog post, we will show how to automate the collection of tokens from password reset emails with a custom Burp extension and the Burp Collaborator. The collected tokens can be analyzed with Burp Sequencer or other tools.
Burp provides a means to import collected tokens and subject them to various randomness tests through it's Sequencer; however manually collecting reset tokens through recovery emails can be very time consuming.
This process can be automated by using the Burp Collaborator to receive incoming reset emails and using an extension to poll the collaborator and parse those emails for the reset token which are then saved to a file. The file can then be imported into the Burp Sequencer (or other tool) for analysis.
Use the following guide to install the extension and test your collaborator setup:
1. Ensure you have configured Burp for Jython.
2. Download and install the Reset-A-Tron extension.
3. Once installed, you should see the Reset-A-Tron tab which provides a basic user interface for configuration and output. Inside the Token Type panel, you can specify a link parameter name if the token is sent as a URL, similar to the one shown below. You can also specify a regular expression for other types of tokens such as ones sent in a REST URL or even numeric codes.
<body style="font-family: Arial; font-size: 12px;">
You have requested a password reset, please follow the link below to reset your password.
Please ignore this email if you did not request a password change.
Follow this link to reset your password.
4. Configure the project settings to use the Burp Collaborator of your choice. The extension will also use the same one. The extension obtains the Collaborator domain at startup so changing it requires a reload.
5. Specify the polling time for how frequently the extension will check the Collaborator for new messages as well as the path and filename for where the collected tokens will be sent to.
6. Click Start to begin polling. The extension will provide an email address that can be used for your testing as well as a test command that can be used with sendemail.
7. Update the web application account to use the provided email so that reset emails are delivered to the collaborator. The name component of the email can be any value, however, the domain component must match the value initially provided by the extension. You can either scroll to the top of the output window or use the 'Copy Email' button in the Control panel to copy the generated domain to the clipboard. Due to how the Burp Collaborator works, it is currently not possible to re-use the same domain after restarting Burp sessions.
8. Repeatedly use the password recovery feature of the application. As emails are delivered to the Collaborator, the extension will provide output along with the value of the recovered token and confirmation that the value has been saved.
9. When a sufficiently large enough sample has been generated (consider using an intruder attack to automate this), import the token file to Sequencer or any other tool of your choice.
Password recovery tokens are a common web application feature that can be difficult to test. Try the Reset-A-Tron plugin for BurpSuite to collect reset emails and extract tokens, and then load them into the Sequencer for some predictability analysis. The source code for the extension is hosted at the following GitHub repository: https://github.com/Optiv-Appsec/burp-reset-a-tron. You might be surprised what you find!