This lab demonstrates a **critical flaw** in password reset logic: the application **doesn’t verify the reset token** before allowing the password to be changed. This allows an attacker to craft a password reset request for **any user**, bypassing the intended verification step (usually sent via email), and ultimately hijack their account.
##### Step-by-Step Exploitation
###### 🔐 1. Trigger a Legitimate Password Reset (as wiener)
- Log in with:
```
Username: wiener
Password: peter
```
- Click **"Forgot your password?"**
- Submit the username `wiener`
---
###### ✉️ 2. Get the Reset Email
- Click the **"Email client"** button
- Open the email and click the password reset link
- It looks like:
```
https://your-lab-id.web-security-academy.net/forgot-password?temp-forgot-password-token=abc123
```
- Reset your password to anything you want
---
###### 🛠️ 3. Intercept the Password Change Request
- In Burp Suite, go to **Proxy > HTTP history**
- Find the POST request that submits the new password:
```
POST /forgot-password?temp-forgot-password-token=abc123
```
- The body contains:
```x-www-form-urlencoded
username=wiener
new-password=yournewpass
confirm-password=yournewpass
temp-forgot-password-token=abc123
```
![[CleanShot 2025-05-07 at 12.27.16.png]]
---
###### 🧪 4. Test the Token Logic
Send the request to **Burp Repeater**.
- **Delete the token** from:
- The **URL** (`?temp-forgot-password-token=`)
- The **body** (`temp-forgot-password-token=`)
- Resend the request.
✅ If it still returns **200 OK** and updates the password, the token is **not being checked**.
---
###### 🎯 5. Exploit It to Reset Carlos’s Password
- Trigger another password reset (as wiener) to refresh the UI state
- Capture the same kind of POST request in Burp again
- In **Burp Repeater**, modify the request:
- Remove the `temp-forgot-password-token` from both URL and body
- Change the `username` to `carlos`
- Set a new password:
```http
POST /forgot-password HTTP/1.1
Host: your-lab-id.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
username=carlos&new-password=hacked123&confirm-password=hacked123
```
- Send the request.
![[CleanShot 2025-05-07 at 12.43.52.png]]
✅ If successful, Carlos’s password is now set to sth new.
---
###### 🔓 6. Log In as Carlos
Go to the login page and authenticate as:
```
Username: carlos
Password: pass
```
Click **"My account"** to solve the lab.
---
##### Why It Works
- The application provides a reset link with a token (`temp-forgot-password-token`)
- However, the server **does not validate** this token when processing the password change
- This lets attackers skip the token verification and reset any user’s password just by **changing the `username` parameter**
---
##### Real-World Risks
- This kind of vulnerability enables **account takeover** without user interaction
- Seen in legacy apps where password reset logic was built without secure token handling
- Attackers can automate this to hijack high-value admin or financial accounts