Password reset broken logic
To access the lab click on the following link:
This lab’s password reset functionality is vulnerable. To solve the lab, reset Carlos’s password then log in and access his “My account” page.
- Your credentials:
wiener:peter - Victim’s username:
carlos
Click on “Access the Lab” button to open Lab’s homepage.
On the Lab homepage we can see the “My account” option. Let’s open that.
We got a login page. We know the credentials of one account so let’s try to reset password for that account and check how the password reset functionality works.
Let’s type the correct username and click on “Forget password”.
To reset the password it asks for email or username. So let’s provide the correct username and hit “Submit button”.
It says to check email for a reset password link. We can see an Email client button on top of the lab so let’s click on it and check what we have got there.
On email client we received a password reset link. Let’s click on it and change our password.
On clicking the link we are allowed to set new password for our account “wiener”. Let’s use an easy password “12345” and click on submit.
On submitting the new password it redirects us to the lab’s homepage which means the password is successfully changed and we did not get any error message.
We can see the captured request in burp proxy tab. We have a POST request captured so let’s check the response in repeater tab. Right click on the request and send that to repeater.
In the repeater tab we can see that our request contains a “temp-forgot-password-token”, “username” and “new-password”.
Let’s remove the token from request and send the request again to check if we get the same response and yes we get the same response.
So, we examined the password reset functionality by removing the token from the password reset request and observing the server’s response. Surprisingly, the server responded with the same response as it did with the token present.
This behaviour indicates a critical security flaw: the token, which is meant to verify the legitimacy of the password reset request, is not being validated by the server. Without proper token validation, we (as an attacker) can exploit this vulnerability to reset the password of any user account without authorization.
So, let’s change the username from wiener to the victim’s username (carlos) in the same request and click on send button to send the request. You can also change the password but in this case I am using the same easy password (12345).
We got the same response which means that we have successfully reset the password of carlos.
Let’s verify it and for that, again go to the “My account” option on lab’s homepage.
Let’s fill the credentials for login and click on Log in button.
We are successfully logged in as carlos and the lab is marked as solved.
Congratulations! The walkthrough of Third authentication lab finishes here.
You can see walkthrough of Fourth lab by clicking the following link:
