Pentest Files: Admin Account Takeover via Password Reset

BY Conor O'Neill / ON May 18, 2022

Welcome to our Pentest Files blog series.

Each blog post will present an interesting or dangerous finding one of our testers has identified in an actual recent pen-test, so you can see the kinds of cool things our pen-testers get up to, and also to help you take steps to prevent similar vulnerabilities in your own assets.

These findings are taken from real reports, anonymised, and published with kind permission from our clients.


Tester: Nabeel Ahmed

Company Revenue: $50m

Vertical: Health, Medical or Med-Tech

Impact: Complete application and user data compromise

What happened?

Nabeel took over the entire target application by exploiting a bug in the ‘forgotten password’ mechanism.

The Finding

An oldie but a goodie! Nabeel exploited what’s known as an Insecure Direct Object Reference (IDOR) vulnerability. Essentially, when the user chose a new password at the end of the password reset process, the ID of the user was sent with the password. By simply changing this user ID, Nabeel could reset the password of any application user, including the admin users.

Insecure Direct Object Reference IDOR

The Fix

The use of IDORs in modern application programming should be discontinued. This is easily achieved by developing using a recognised application framework. In this instance we recommended the application switch to using UUIDs.

As well as this, all applications should adhere to the principle of never trusting any data that comes from the browser.

Bedtime Reading

https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html