Basic password reset poisoning
Last updated
Was this helpful?
Last updated
Was this helpful?
the first thing we have to map all the site and browse all functionnalities of the website after doing this we will find out a reset password functionnality in the logging by clicking on the Forget password?
The login form contains a Forgot password? functionality. I use it to request a pass reset for my user wiener.
This results in an email that is sent to my address, containing a reset link:
now let's try to send a reset link to our user wiener but this we will intercept the request and modify the Host header value and see if this value is reflected on the reset link
The password reset link contains a link to the domain specified in the Host header:
so our goal now is to send the password reset link of the user carlos to a server that we control by manipulating the Host header and then take the password reset link and use it to change the password of the user carlos and takeover his account
to do that we will use the lab exploit server
enter the username carlos and intercept the request using burp
change the host header to our server
according to the lab description the user carlos clicks on links that he recieves blindly so he will click on the password reset link that is issued by our server so if we access the server logs we can see the password reset link
take this link and copy it in the browser and it will tell you to type new password for carlos after this logging as the user carlos using the password you typed and the challenge is solved
hope you found this walkthrough easy to understand and follow
Greeting From Sayonara
