Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Testing Password Reset Token Predictability with the Reset-A-Tron Burp Extension
Most web applications provide a 'forgot my password' feature where a recovery or reset token is delivered to the associated account email address. Usually these emails contain a link with a random-looking token that, once clicked, results in the user being able to proceed with the recovery process. It is important to test the randomness of these reset tokens to ensure that attackers cannot forge their own and take over accounts they do not own. In this blog post, we will show how to automate the collection of tokens from password reset emails with a custom Burp extension and the Burp Collaborator. The collected tokens can be analyzed with Burp Sequencer or other tools.
Burp provides a means to import collected tokens and subject them to various randomness tests through it's Sequencer; however manually collecting reset tokens through recovery emails can be very time consuming.
This process can be automated by using the Burp Collaborator to receive incoming reset emails and using an extension to poll the collaborator and parse those emails for the reset token which are then saved to a file. The file can then be imported into the Burp Sequencer (or other tool) for analysis.
Use the following guide to install the extension and test your collaborator setup:
1. Ensure you have configured Burp for Jython.
2. Download and install the Reset-A-Tron extension.
3. Once installed, you should see the Reset-A-Tron tab which provides a basic user interface for configuration and output. Inside the Token Type panel, you can specify a link parameter name if the token is sent as a URL, similar to the one shown below. You can also specify a regular expression for other types of tokens such as ones sent in a REST URL or even numeric codes.
<body style="font-family: Arial; font-size: 12px;">
You have requested a password reset, please follow the link below to reset your password.
Please ignore this email if you did not request a password change.
Follow this link to reset your password.
4. Configure the project settings to use the Burp Collaborator of your choice. The extension will also use the same one. The extension obtains the Collaborator domain at startup so changing it requires a reload.
5. Specify the polling time for how frequently the extension will check the Collaborator for new messages as well as the path and filename for where the collected tokens will be sent to.
6. Click Start to begin polling. The extension will provide an email address that can be used for your testing as well as a test command that can be used with sendemail.
7. Update the web application account to use the provided email so that reset emails are delivered to the collaborator. The name component of the email can be any value, however, the domain component must match the value initially provided by the extension. You can either scroll to the top of the output window or use the 'Copy Email' button in the Control panel to copy the generated domain to the clipboard. Due to how the Burp Collaborator works, it is currently not possible to re-use the same domain after restarting Burp sessions.
8. Repeatedly use the password recovery feature of the application. As emails are delivered to the Collaborator, the extension will provide output along with the value of the recovered token and confirmation that the value has been saved.
9. When a sufficiently large enough sample has been generated (consider using an intruder attack to automate this), import the token file to Sequencer or any other tool of your choice.
Password recovery tokens are a common web application feature that can be difficult to test. Try the Reset-A-Tron plugin for BurpSuite to collect reset emails and extract tokens, and then load them into the Sequencer for some predictability analysis. The source code for the extension is hosted at the following GitHub repository: https://github.com/Optiv-Appsec/burp-reset-a-tron. You might be surprised what you find!
Let us know what you need, and we will have an Optiv professional contact you shortly.