I forgot Your password: Pwning modern password recovery systems through JSON injections
During this talk we’ll analyze different vulnerabilities and weaknesses in password recovery mechanisms. To illustrate how dangerous these vulnerabilities can be we’ll present a live demo showing how an attacker chaining different bugs in the SAP HANA password recovery mechanism could fully compromise the platform.
Designing a decently secure account recovery functionality, as well as a registration method is not a trivial task. In contrast to authentication systems, and as stated in the OWASP Forgot Password Cheat Sheet, “There is no industry standard for implementing a Forgot Password feature. The result is that you see applications forcing users to jump through myriad hoops involving emails, special URLs, temporary passwords, personal security questions, and so on.”
To better illustrate how dangerous and common this situation is, we will go through known reported vulnerabilities and design weaknesses in large-scale technology companies such as Google, Facebook and Microsoft.
After reviewing these cases, we will focus on our recent research assessing SAP HANA’s User Self Service, part of the flagship computing platform from SAP. This service enclosures both user registration and recovery features, and allows SAP HANA users to manage accounts without full authentication. We will start by explaining some basic discovered vulnerabilities, such as user enumeration through mishandled SQL errors, host header injections, SQL injections (which allow the activation of known common users), and predictive recovery tokens.
Finally, we will present the main case study reviewing an attack that uses custom JSON injection to leverage an SQL injection which allows an unauthenticated remote attacker to alter user information. By combining different vulnerabilities, we will show how it is possible for potential attackers to hijack the “SYSTEM” user (fully privileged user), gaining full control of the SAP Hana Database and applications.