Changing password without knowing old password
September 15, 2019
|Reported at||September 10, 2019|
|Weakness||CWE 620 - Unverified Password Change|
It is possible to change the user password without knowing the current one by using
/auth/setPassword endpoint instead of
Impact - By intercepting and changing the request, with a valid token, the user could change his password without knowing the current one.
Step by step - Scenario
- Using proxy intercept password change request (use anything for old password field).
- Change endpoint from /auth/password to /auth/setPassword.
- Change POST data to (where 'MyNewPassword' is the new password you
- Send the request.
The current password is required to be entered when changing the password.
A valid token is required.