Bug Bounty Bootcamp #45: Token?

Bug Bounty Bootcamp #45: Token? What Token? — How Leaky APIs and Reset Flows Hand You Admin on a Silver Platter

You found a password reset that leaks the magic token in the API response. Or worse — the devs left an endpoint that just gives you anyone's reset code. Grab your popcorn, we're about to take over accounts without even brute-forcing.

Welcome back, you magnificent bug-hunting gremlin. You've already learned to brute-force OTPs and find hidden registration pages. But sometimes, the universe (and lazy developers) just gives you the keys. No guessing. No wordlists. Just a juicy API response that whispers "resetToken": "secret123" in your ear.

Today, we're hunting leaked reset tokens, misconfigured API endpoints, and forged password reset requests that let you slip into any account like a digital ninja.

1. The "Oops, I Leaked the Reset Token" Vulnerability

Imagine this: You click "Forgot Password" for the user admin. The app says "Reset link sent." But you, being a suspicious little hacker, check the API response in Burp.

Instead of a boring {"status": "ok"}, you see:

{"status": "password reset generated", "resetToken": "a1b2c3d4e5f6", "userId": 1}

{"status": "password reset generated", "resetToken": "a1b2c3d4e5f6", "userId": 1}

Wait. What? They just gave you the token? No email required? Jackpot.

But where do you use it? That's the next puzzle.

The Hunter's Move:

Look for a password reset endpoint like /reset, /reset-password, /api/auth/reset.
Try GET /reset?token=a1b2c3d4e5f6 or POST /reset with {"token": "a1b2c3d4e5f6", "new_password": "hacked123"}.
Fuzz for the correct path using FFUF or Burp Intruder.

In the course lab, the token was leaked, but the reset page wasn't obvious. A quick FFUF scan on /reset revealed /reset?token= – and boom, password changed.

2. When the API Dumps Everyone's Reset Tokens (Yes, Really)

This is the holy grail. You find an endpoint like /api/users/3 that returns user details – and somewhere in there, a passwordResetToken field.

Real story from the instructor: On a bug bounty, he found that the API /api/user/{id} returned the user's full profile, including their active password reset token. He requested a reset for his own account, saw the token appear in the API response, then tried the same endpoint for user/2 (admin). The token was there. He used it to reset the admin's password. Critical account takeover.

How to find these:

After triggering a password reset on your own account, check every API endpoint you have access to — profile, settings, user list.
Look for fields like reset_token, password_reset_token, recovery_token, confirmation_token.
If you see your token, try the same endpoint with a different user ID (IDOR style).

Pro tip: Sometimes the token is hidden unless you add a parameter like ?include_reset_token=true or ?full=true. Fuzz for those too.

3. Forging the Reset Request — Injecting Your Own Email

Sometimes you can't steal a token, but you can trick the app into sending the reset link to your email instead of the victim's.

Classic method: The app sends a POST request like {"email": "victim@example.com"}. Can you change it to {"email": ["victim@example.com", "attacker@example.com"]} (array)?

Real CVE example (GitLab): A few years ago, GitLab had a password reset vulnerability where you could add a second email address as an array parameter. The system would send reset links to both emails — including the attacker's.

What to test:

Try email=victim@example.com&email=attacker@example.com
Try email[]=victim@example.com&email[]=attacker@example.com
Try JSON array: {"email": ["victim@example.com", "attacker@example.com"]}
Try adding a CC or BCC parameter if the app uses email headers.

The lab example: The instructor found that adding an extra parameter email2=attacker@domain.com worked. The system sent the reset to both addresses.

4. When the Reset Page Is Hidden — Go Fuzzing

You have a leaked token, but no /reset page. Time to play hide-and-seek.

Use FFUF:

ffuf -u https://target.com/FUZZ -w /path/to/words.txt | grep -E "reset|token|password"

ffuf -u https://target.com/FUZZ -w /path/to/words.txt | grep -E "reset|token|password"

Or fuzz inside a directory: https://target.com/api/auth/FUZZ

In the course, the instructor found /reset by fuzzing for reset, forgot, recover, password-reset. Then he appended ?token= and – success.

Pro tip: Also check the JavaScript files. Sometimes the frontend defines the reset route (e.g., Router.path('/reset/:token')).

The Complete "Gimme Your Account" Checklist

Final Boss Wisdom

Password reset flows are chaos magnets. Devs rush them, forget to validate ownership, or accidentally expose tokens. Your job is to poke every corner — the response body, the request parameters, the array handling, the hidden endpoints.

And when you find that one API that dumps resetToken for user admin? That's not a bug. That's a retirement fund.

Now go reset some passwords (ethically, of course). And when you get that 200 OK after changing the admin's password, do a little victory dance. You've earned it.

you can check this article too…

"Bug Bounty Bootcamp #44: No Login? You stumble on a login page. No "Register", no "Forgot Password". Just two lonely text boxes staring back at you. Most…

"Day 8: Mobile Hacking — How I Cracked a Banking App's PIN in 10 Seconds ($5000 Bug)" Two weeks ago, I reverse-engineered a "secure" banking app that claimed to use "military-grade encryption." Turns out…

"Day 7: API Hacking — How I Stole 5000 OAuth Tokens & Won $300" Last month, while testing a "secure" fintech app, I discovered an unprotected Firebase database leaking OAuth tokens…

Liked this chaos? Smash that clap button 50 times (it's free therapy), drop a comment with your wildest password reset story, and highlight the part that made you go "wait, that actually works?"

Your feedback keeps this train rolling.

— Your friendly neighborhood account takeover artist 🕵️‍♂️💸

P.S. If you're a dev reading this — please, for the love of all that is holy, don't return reset tokens in your API responses. We will find them. And we will laugh.

Contents