Most of the applications provide the user’s with functionality to “Reset Password” via email. This functionality has always been a part of interest for most of the Bug Bounty Hunters or Security Researchers. From performing basic attacks such as Rate Limiting, Host Header Injections to performing account takeovers, this functionality is total fun and a big win to invest time in.

Hi Fellow Hackers & Hunters, In this article, I will describe one of my recent findings of **Account Takeover via Analysing Cryptographic Patterns in Password Reset **and eventually a P1 (critical) bug.

---

The application I was working on was a part of the **Private Program. **Let’s call it www.target.com for the demonstration purpose.

I switched back to this target after a few weeks and I forgot my credentials for the test accounts ( I usually do :P). I went ahead and did a **Forget Password **request for two of my test accounts.

The accounts were <bugcrowd_alias>+1@bugcrowdninja.com and <bugcrowd_alias>+2@bugcrowdninja.com.

For those who don’t what this **“+” does the trick here. **If you append a **+sometext **to your email, it actually creates an alias of your email and you will receive all the emails on your actual email. This helps a lot while testing because most of the application does not block and this finding was purely figured out because of this.

#hacking #security #bugs #bug-hunting #bug-bounty