This lab demonstrates a **critical flaw** in password reset logic: the application **doesn’t verify the reset token** before allowing the password to be changed. This allows an attacker to craft a password reset request for **any user**, bypassing the intended verification step (usually sent via email), and ultimately hijack their account. ##### Step-by-Step Exploitation ###### 🔐 1. Trigger a Legitimate Password Reset (as wiener) - Log in with: ``` Username: wiener Password: peter ``` - Click **"Forgot your password?"** - Submit the username `wiener` --- ###### ✉️ 2. Get the Reset Email - Click the **"Email client"** button - Open the email and click the password reset link - It looks like: ``` https://your-lab-id.web-security-academy.net/forgot-password?temp-forgot-password-token=abc123 ``` - Reset your password to anything you want --- ###### 🛠️ 3. Intercept the Password Change Request - In Burp Suite, go to **Proxy > HTTP history** - Find the POST request that submits the new password: ``` POST /forgot-password?temp-forgot-password-token=abc123 ``` - The body contains: ```x-www-form-urlencoded username=wiener new-password=yournewpass confirm-password=yournewpass temp-forgot-password-token=abc123 ``` ![[CleanShot 2025-05-07 at 12.27.16.png]] --- ###### 🧪 4. Test the Token Logic Send the request to **Burp Repeater**. - **Delete the token** from: - The **URL** (`?temp-forgot-password-token=`) - The **body** (`temp-forgot-password-token=`) - Resend the request. ✅ If it still returns **200 OK** and updates the password, the token is **not being checked**. --- ###### 🎯 5. Exploit It to Reset Carlos’s Password - Trigger another password reset (as wiener) to refresh the UI state - Capture the same kind of POST request in Burp again - In **Burp Repeater**, modify the request: - Remove the `temp-forgot-password-token` from both URL and body - Change the `username` to `carlos` - Set a new password: ```http POST /forgot-password HTTP/1.1 Host: your-lab-id.web-security-academy.net Content-Type: application/x-www-form-urlencoded username=carlos&new-password=hacked123&confirm-password=hacked123 ``` - Send the request. ![[CleanShot 2025-05-07 at 12.43.52.png]] ✅ If successful, Carlos’s password is now set to sth new. --- ###### 🔓 6. Log In as Carlos Go to the login page and authenticate as: ``` Username: carlos Password: pass ``` Click **"My account"** to solve the lab. --- ##### Why It Works - The application provides a reset link with a token (`temp-forgot-password-token`) - However, the server **does not validate** this token when processing the password change - This lets attackers skip the token verification and reset any user’s password just by **changing the `username` parameter** --- ##### Real-World Risks - This kind of vulnerability enables **account takeover** without user interaction - Seen in legacy apps where password reset logic was built without secure token handling - Attackers can automate this to hijack high-value admin or financial accounts