Password reset poisoning via middleware

Lab Description

Walkthrough

Step 1: Investigate the Password Reset Functionality

After logging in with our account (wiener:peter), we navigate to the password reset functionality. By entering our username or email,

Step 2: Inspecting the Reset Link

Visiting our Email client, we receive an email containing a link with a temp-forgot-password-token parameter. We find a password reset email. The reset link contains a temp-forgot-password-token that appears to be unique for each request. Observing this behavior confirms that we need to manipulate this token.

Step 3: Testing with X-Forwarded-Host Header

We inspect the POST request sent when initiating a password reset. In this request, the server generates a link using the Host header. We hypothesize that using the X-Forwarded-Host header will allow us to overwrite the default host with our exploit server's address.

X-Forwarded-Host is an HTTP header used to indicate the original Host requested by the client when a request passes through a proxy or load balancer. It helps preserve the original host information, especially when the proxy modifies the Host header. This is useful for applications that need to know the original host for routing or generating correct URLs.

Upon sending this modified request, we receive a 200 OK response, indicating that the server accepted our header.

Step 4: Observing the Manipulated Link

• Return to the email client. You will now see a password reset link that includes your exploit server URL instead of the original application URL.

Step 5: Verifying the Exploit

After clicking on the reset link, returning to our exploit server logs, we see a GET request containing the reset link directed to our exploit server. This proves that the server has been successfully manipulated.

Now our next step is to request a token for carlos, to do that we just need to change our username with his

Step 6: Requesting a Token for Carlos

Next, we repeat the process but change the username in the request body to carlos. This modification causes the server to generate a reset link for Carlos, which is redirected to our exploit server.

We extract Carlos's temp-forgot-password-token from the logs.

Step 7: Resetting Carlos's Password

Using the password reset link, we enter a new password for Carlos.

Intercepting the request in Burp Suite, we replace the original token with Carlos's token and send the modified request.

The server processes the request successfully, updating Carlos's password.

Step 8: Logging into Carlos's Account

We use Carlos's username and the newly set password to log into his account. Once logged in, we verify our success by viewing his account details.