How I Found a Critical Password Reset Bug in the BB program(...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://s41n1k.medium.com/how-i-found-a-critical-password-reset-bug-in-the-bb-program-and-got-4-000-a22fffe285e1
• Blog Title: How I Found a Critical Password Reset Bug in the BB program(and Got $4,000)
• Suggested Section: Generic Hacking > Authentication & Authorization > Password Reset/Registration Logic Abuse (ATO via upsert)

🎯 Content Summary

The post details a pre-authentication account-takeover caused by a registration endpoint that doubles as a password reset without ownership verification. The researcher proxied the Android app through Burp Suite (guide), extracted API paths from bundled JavaScript to build a custom wordlist, and fuzzed with FFUF to enumerate hidden actions. This process rev...

🔧 Technical Details

Endpoint harvesting + fuzzing: Extract API paths from client code (e.g., bundled JavaScript) to build a custom wordlist, then fuzz /base/path/FUZZ to discover hidden handlers. Use server feedback (e.g., “Only POST request is allowed.”) to infer required methods and parameters, then iterate with correct verbs and headers.

Registration-as-reset abuse: When registration handlers upsert on existing emails, submit {"email": "[email protected]", "password": "New@123"} to overwrite credentials without a reset token. This exploits missing uniqueness checks and absent ownership verification, yielding immediate ATO. Mitigate by rejecting existing emails on signup and requiring tokenized, verified flows for password changes.

🤖 Agent Actions

I analyzed the blog and HackTricks structure and found the best-fit locations to add this technique are:

• pentesting-web/reset-password.md: This page catalogs password reset logic abuses and already includes pre-auth reset patterns. It needed a dedicated section for “Registration-as-Reset (Upsert on Existing Email)” as described in the blog.
• pentesting-web/registration-vulnerabilities.md: This page covers registration and account takeover vectors but lacked the specific upsert-abuse technique. I added a new subsection under Password Reset Takeover to reflect the registration endpoint doubling as a password reset.

What I added

1. In pentesting-web/reset-password.md:

• New section “Registration-as-Password-Reset (Upsert on Existing Email)” with:
  • Clear description of the vulnerable pattern: registration handler upserts on existing email, letting pre-auth password overwrite.
  • Endpoint discovery workflow: build wordlist from bundled JS/mobile traffic and fuzz with ffuf; method hinting via server messages like “Only POST request is allowed.”
  • PoC request demonstrating the arbitrary password reset by POSTing JSON {"email": "...", "password": "..."}.
  • Classification mapping (OWASP A01/A07, CWE-287, CWE-640).
  • Mitigation guidance (strict separation of registration vs reset, 409 on existing email, tokenized verified reset, auditing/ratelimiting).
  • An ffuf example for fuzzing base paths.
• Updated References to include the blog URL.

2. In pentesting-web/registration-vulnerabilities.md:

• New subsection “Registration-as-Reset (Upsert on Existing Email)” with:
  • Technique explanation and impact (pre-auth ATO).
  • Discovery and method hinting details (JS-derived wordlists, ffuf fuzzing, server feedback).
  • JSON body PoC and HTTP request PoC.
  • Mitigations as above.
• Updated References to include the blog URL.

Why these locations

• The technique is a logic flaw that allows pre-auth password reset by abusing the registration endpoint. These two pages already cover password reset and registration takeover vectors and are the most relevant places to incorporate this specific “registration-as-reset via upsert” pattern without creating a new page.
• The endpoint discovery aspects (JS harvesting + ffuf) are already broadly covered under the Web Methodology spidering/fuzzing content, so I referenced the process concisely rather than duplicating extensive enumeration material.

Changes performed

• Modified: src/pentesting-web/reset-password.md
• Modified: src/pentesting-web/registration-vulnerabilities.md

Both files now include the “Registration-as-Reset (Upsert on Existing Email)” technique with reproduction steps, PoC, and mitigation, and both reference the blog.

No other updates were necessary since endpoint harvesting and ffuf usage are already well-covered in the Web Methodology.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://s41n1k.medium.com/how-i-found-a-critical-password-reset-bug-in-the-bb-program-and-got-4-000-a22fffe285e1

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking > Authentication & Authorization > Password Reset/Registration Logic Abuse (ATO via upsert)".

Repository Maintenance:

• MD Files Formatting: 876 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0