Lab: Password reset poisoning via middleware

Lab: Password reset poisoning via middleware

Ohekpeje Joel Odey's photo
Ohekpeje Joel Odey
·

2 min read

Lab Scenario: Our mission is to investigate and exploit the password reset functionality of a simulated web application, demonstrating the risks associated with insecure implementations. Let's navigate through the solution using Burp Suite:

  1. Exploring Password Reset Functionality:

    • With Burp running, investigate the password reset functionality.

    • Observe that a unique reset token is sent via email as part of the reset link.

  2. Inspecting the Reset Request:

    • Send the POST /forgot-password request to Burp Repeater.

    • Notice the support for the X-Forwarded-Host header, enabling manipulation of the dynamically generated reset link.

  3. Setting Up the Exploit Server:

    • Go to the exploit server and make a note of your exploit server URL.

  4. Manipulating the Reset Link:

    • Go back to the request in Burp Repeater and add the X-Forwarded-Host header with your exploit server URL:

        makefileCopy codeX-Forwarded-Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net

    • Change the username parameter to "carlos" and send the request.

  5. Capturing the Reset Token:

    • Go to the exploit server and open the access log. Identify the GET /forgot-password request containing the victim's token as a query parameter. Make a note of this token.

  6. Exploiting the Password Reset Link:

    • Go back to your email client and copy the valid password reset link (not the one pointing to the exploit server).

    • Paste this link into the browser and change the value of the temp-forgot-password-token parameter to the stolen victim's token.

    • Load this URL and set a new password for Carlos's account.

  7. Solving the Lab:

    • Log in to Carlos's account using the new password to successfully solve the lab.

Conclusion: This hands-on lab provides practical insights into the potential vulnerabilities associated with password reset functionalities. By following this step-by-step guide, users can enhance their understanding of secure password reset implementations and contribute to a safer online environment. Stay informed, keep learning, and continue exploring the dynamic field of cybersecurity to fortify the defenses of digital systems.

Reference:

https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-poisoning-via-middleware

websecurityportswiggerBurpsuite #cybersecurityhandsonApplication Security