Pentest Files: Admin Account Takeover via Password Reset

BY Conor O'Neill / ON May 18, 2022

Welcome to our Pentest Files blog series.

Each blog post will present an interesting or dangerous finding one of our testers has identified in an actual recent pen-test, so you can see the kinds of cool things our pen-testers get up to, and also to help you take steps to prevent similar vulnerabilities in your own assets.

These findings are taken from real reports, anonymised, and published with kind permission from our clients.


Tester: Nabeel Ahmed

Company Revenue: $50m

Vertical: Health, Medical or Med-Tech

Impact: Complete application and user data compromise

What happened?

Nabeel took over the entire target application by exploiting a bug in the ‘forgotten password’ mechanism.

The Finding

An oldie but a goodie! Nabeel exploited what’s known as an Insecure Direct Object Reference (IDOR) vulnerability. Essentially, when the user chose a new password at the end of the password reset process, the ID of the user was sent with the password. By simply changing this user ID, Nabeel could reset the password of any application user, including the admin users.

Insecure Direct Object Reference IDOR

The Fix

To prevent this, either:

  • Determine the user whose password should be changed from the session information of the currently logged in user
  • Ensure that the ID of the currently logged in user matches the ID supplied in the request

As well as this, all applications should adhere to the principle of never trusting any data that comes from the browser.

Bedtime Reading

https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html