Skip to main content
HashnodeCyberVisions with Joel O.CyberVisions with Joel O.

Command Palette

Search for a command to run...

Lab: Password reset poisoning via middleware

Published
2 min read
Lab: Password reset poisoning via middleware
O
Ohekpeje Joel Odey

Cybersecurity professional sharing insights on securing ecosystems, exploring cloud tech, and simplifying concepts for pros, enthusiasts, and beginners alike.

Part of seriesPortSwigger Authentication Labs

Lab Scenario: Our mission is to investigate and exploit the password reset functionality of a simulated web application, demonstrating the risks associated with insecure implementations. Let's navigate through the solution using Burp Suite:

  1. Exploring Password Reset Functionality:

    • With Burp running, investigate the password reset functionality.

    • Observe that a unique reset token is sent via email as part of the reset link.

  2. Inspecting the Reset Request:

    • Send the POST /forgot-password request to Burp Repeater.

    • Notice the support for the X-Forwarded-Host header, enabling manipulation of the dynamically generated reset link.

  3. Setting Up the Exploit Server:

    • Go to the exploit server and make a note of your exploit server URL.

  4. Manipulating the Reset Link:

    • Go back to the request in Burp Repeater and add the X-Forwarded-Host header with your exploit server URL:

        makefileCopy codeX-Forwarded-Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net

    • Change the username parameter to "carlos" and send the request.

  5. Capturing the Reset Token:

    • Go to the exploit server and open the access log. Identify the GET /forgot-password request containing the victim's token as a query parameter. Make a note of this token.

  6. Exploiting the Password Reset Link:

    • Go back to your email client and copy the valid password reset link (not the one pointing to the exploit server).

    • Paste this link into the browser and change the value of the temp-forgot-password-token parameter to the stolen victim's token.

    • Load this URL and set a new password for Carlos's account.

  7. Solving the Lab:

    • Log in to Carlos's account using the new password to successfully solve the lab.

Conclusion: This hands-on lab provides practical insights into the potential vulnerabilities associated with password reset functionalities. By following this step-by-step guide, users can enhance their understanding of secure password reset implementations and contribute to a safer online environment. Stay informed, keep learning, and continue exploring the dynamic field of cybersecurity to fortify the defenses of digital systems.

Reference:

https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-poisoning-via-middleware

#websecurity#portswigger#burpsuite#cybersecurity-1#handson#application-security
41 views

Comments

Join the discussion

No comments yet. Be the first to comment.

PortSwigger Authentication Labs

Part 2 of 7

Throughout this series, I'll explore the effective utilization of the Burp Suite application from PortSwigger Academy, offering valuable insights into honing reconnaissance and analysis skills.

Up next

Lab: Username enumeration via response timing

Introduction: In the intricate world of web security, identifying vulnerabilities is a skill every cybersecurity enthusiast must hone. This blog post unravels a fascinating lab exercise that delves into the subtleties of username enumeration, showcas...

More from this blog

C

CyberVisions with Joel O.

61 posts

Azure | Cyber Security | Risk Management