Portswigger writeup - Password reset poisoning via middleware

Lab: Password reset poisoning via middleware

To solve this lab, you have to mix different techniques seen in the previous labs of the same series in order to steal, once again, the cookie of this unfortunate Carlos.

1. On the home page, click “My account

   

2. Then, click “Forgot password”

   

3. Enter your username, “wiener” and click “Submit”

   

4. Access the email client through the exploit server (take the opportunity to keep the exploit server’s URL on a notepad for later)

   

   

5. Click the link

   

6. Enter twice a password (kept “peter” in this example) and click “Submit”

   

7. In Burp Suite > Proxy > HTTP History, find the POST request “/forgot-password” that contains the username “wiener”, send it to Repeater

   

8. In Repeater, add the header“X-Forwarded-Host: <your exploit server URL>”, change “wiener” to “carlos” and send it

   

9. Go back to your email client, copy the link, paste it in a new tab, delete the token and don’t send it for the moment

   

   

10. Go back to the exploit server, click “Access logs”

    

11. Find the GET request for “/forgot-password” that contains the token for “carlos“

    

12. Go back to the new open tab (the one opened step 9), add carlos’s token at the end of the URL, where you deleted yours a few steps ago, and send it

    

13. Enter twice a password (entered “peter” as well for this account) and submit

    

14. Go to “My account” again

    

15. Enter Carlos’s new credentials and click “Submit”

    

16. The lab is solved