Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • Lab Description
  • Walkthrough
  • Step 1: Investigate the Password Reset Functionality
  • Step 2: Inspecting the Reset Link
  • Step 3: Testing with X-Forwarded-Host Header
  • Step 4: Observing the Manipulated Link
  • Step 5: Verifying the Exploit
  • Step 6: Requesting a Token for Carlos
  • Step 7: Resetting Carlos's Password
  • Step 8: Logging into Carlos's Account

Was this helpful?

  1. Writeups
  2. Portswigger Labs
  3. Authentication

Password reset poisoning via middleware

PreviousOffline password crackingNextPassword brute-force via password change

Last updated 5 months ago

Was this helpful?

Lab Description

Walkthrough

Step 1: Investigate the Password Reset Functionality

After logging in with our account (wiener:peter), we navigate to the password reset functionality. By entering our username or email,

Step 2: Inspecting the Reset Link

Visiting our Email client, we receive an email containing a link with a temp-forgot-password-token parameter. We find a password reset email. The reset link contains a temp-forgot-password-token that appears to be unique for each request. Observing this behavior confirms that we need to manipulate this token.

Step 3: Testing with X-Forwarded-Host Header

We inspect the POST request sent when initiating a password reset. In this request, the server generates a link using the Host header. We hypothesize that using the X-Forwarded-Host header will allow us to overwrite the default host with our exploit server's address.

X-Forwarded-Host is an HTTP header used to indicate the original Host requested by the client when a request passes through a proxy or load balancer. It helps preserve the original host information, especially when the proxy modifies the Host header. This is useful for applications that need to know the original host for routing or generating correct URLs.

Upon sending this modified request, we receive a 200 OK response, indicating that the server accepted our header.

Step 4: Observing the Manipulated Link

  • Return to the email client. You will now see a password reset link that includes your exploit server URL instead of the original application URL.

Step 5: Verifying the Exploit

After clicking on the reset link, returning to our exploit server logs, we see a GET request containing the reset link directed to our exploit server. This proves that the server has been successfully manipulated.

Now our next step is to request a token for carlos, to do that we just need to change our username with his

Step 6: Requesting a Token for Carlos

Next, we repeat the process but change the username in the request body to carlos. This modification causes the server to generate a reset link for Carlos, which is redirected to our exploit server.

We extract Carlos's temp-forgot-password-token from the logs.

Step 7: Resetting Carlos's Password

Using the password reset link, we enter a new password for Carlos.

Intercepting the request in Burp Suite, we replace the original token with Carlos's token and send the modified request.

The server processes the request successfully, updating Carlos's password.

Step 8: Logging into Carlos's Account

We use Carlos's username and the newly set password to log into his account. Once logged in, we verify our success by viewing his account details.