# Password reset poisoning via middleware

## Lab Description

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2F1CahzV7DMhfcvV2kRbeW%2Fimage.png?alt=media&#x26;token=78cbe994-5aac-475c-9c7e-d24d32a9b842" alt=""><figcaption></figcaption></figure>

## Walkthrough

### Step 1: Investigate the Password Reset Functionality

After logging in with our account (`wiener:peter`), we navigate to the password reset functionality. By entering our username or email,&#x20;

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2FZFBVHyuzi40OTAWxtkva%2Fimage.png?alt=media&#x26;token=fcd737c9-634e-4a6e-9315-41da23785a4e" alt=""><figcaption></figcaption></figure>

### Step 2: Inspecting the Reset Link

Visiting our Email client, we receive an email containing a link with a `temp-forgot-password-token` parameter. We find a password reset email. The reset link contains a `temp-forgot-password-token` that appears to be unique for each request. Observing this behavior confirms that we need to manipulate this token.

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2FiE2ow2ijKTONmqeDwnS2%2Fimage.png?alt=media&#x26;token=ed278cce-ff52-4138-ad0f-90cccca9057d" alt=""><figcaption></figcaption></figure>

### Step 3: Testing with X-Forwarded-Host Header

We inspect the `POST` request sent when initiating a password reset. In this request, the server generates a link using the Host header. We hypothesize that using the `X-Forwarded-Host` header will allow us to overwrite the default host with our exploit server's address.

{% hint style="info" %}
**X-Forwarded-Host** is an HTTP header used to indicate the original `Host` requested by the client when a request passes through a proxy or load balancer. It helps preserve the original host information, especially when the proxy modifies the `Host` header. This is useful for applications that need to know the original host for routing or generating correct URLs.
{% endhint %}

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2FNIu1sxmYKAe0B7y8pWLX%2Fimage.png?alt=media&#x26;token=80e07c25-210c-4e66-8b23-97cb0851d4a0" alt=""><figcaption></figcaption></figure>

Upon sending this modified request, we receive a `200 OK` response, indicating that the server accepted our header.

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2F00WTIxsV9zZNJdBNDzZp%2Fimage.png?alt=media&#x26;token=584e7e77-6d66-4f61-b61e-43a4e3725077" alt=""><figcaption></figcaption></figure>

### **Step 4: Observing the Manipulated Link**

* Return to the email client. You will now see a password reset link that includes your exploit server URL instead of the original application URL.

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2FkLZTleyUYm8ECdai2jnF%2Fimage.png?alt=media&#x26;token=f8e2a44a-74a9-4fd8-be3e-687558a613b7" alt=""><figcaption></figcaption></figure>

### Step 5: Verifying the Exploit

After clicking on the reset link, returning to our exploit server logs, we see a `GET` request containing the reset link directed to our exploit server. This proves that the server has been successfully manipulated.

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2F2p2ff9fD48QCi6YkUfTm%2Fimage.png?alt=media&#x26;token=8768acbf-7b24-4cf8-8155-ac28c509a719" alt=""><figcaption></figcaption></figure>

Now our next step is to request a token for carlos, to do that we just need to change our username with his

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2FnwgCEPB7MmE3n8qRgRQ9%2Fimage.png?alt=media&#x26;token=ae918b8f-1de1-4970-b967-6e1567efb4f6" alt=""><figcaption></figcaption></figure>

### Step 6: Requesting a Token for Carlos

Next, we repeat the process but change the username in the request body to `carlos`. This modification causes the server to generate a reset link for Carlos, which is redirected to our exploit server.

We extract Carlos's `temp-forgot-password-token` from the logs.

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2FYOMsE9iu0KaLt72DfzqO%2Fimage.png?alt=media&#x26;token=9d8ae645-cc94-43c7-8595-b1926e4e7586" alt=""><figcaption></figcaption></figure>

### Step 7: Resetting Carlos's Password

Using the password reset link, we enter a new password for Carlos.&#x20;

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2FntE5jYiXkVEi7CzxyO0y%2Fimage.png?alt=media&#x26;token=8fa4cd74-ef1c-45de-a5e4-fc67a18d2bdf" alt=""><figcaption></figcaption></figure>

Intercepting the request in Burp Suite, we replace the original token with Carlos's token and send the modified request.

The server processes the request successfully, updating Carlos's password.

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2FKgrD5qaunQKMnWwTFLBk%2Fimage.png?alt=media&#x26;token=f0666328-29f3-4fcb-ae3f-15e04aecc87b" alt=""><figcaption></figcaption></figure>

### Step 8: Logging into Carlos's Account

We use Carlos's username and the newly set password to log into his account. Once logged in, we verify our success by viewing his account details.

<figure><img src="https://2387347627-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F47EuhANOY5sIuDySBX97%2Fuploads%2FNyyGPcwcCHmGZDXlbIqG%2Fimage.png?alt=media&#x26;token=2283f9c2-997a-4c5f-9a57-64149bf8be77" alt=""><figcaption></figcaption></figure>