Solving Portswigger Academy:Authentication-Password Reset Broken Logic
In this lab we will try to solve the challenge in portswigger’s academy authentication-Password reset broken logic.
The challenge to solve is: We have provided the credentials for user Wiener and we need to reset the password for Carlos and access his My Account page.
When we visit the lab we see below page.
Click on My Account and you will see the login window.
To understand the flow, I just login with provided credentials and also tried the password reset function.
- Click on forgot password link, it will send the GET request to the /forgot-password end point which will lode a password reset page.
2. In text box user need to either provide the username or email address for which the password needs to be reset.
The response says the link is sent to the email for password reset. Which we received in our inbox.
When we clicked on the link, we received page where we need to enter the new password.
If you noticed the highlighted areas, the password reset token is sent in URL as well as in body. It also sends username for which password need to be reset.
Let’s change the username from ‘wiener’ to ‘carlos’ and forward the request.
It looks like password changed for the carlos.
Let’s login to the Carlos’ a/c with the password we just set.
This is how we are able to solved the challenge.
Now if we need to analyse why this vulnerability arise, there are few points.
- It sends username in the POST request which is not mapped to the session-ID or something. Attacker can change it.
- It did not asked for the old password.
- The password reset token does not expire and can be used many times.
- We can set our own password token, it just test if token in URL and body are same.
To mitigate the issue application must bind the user for whom password request is initiated to session or something like that. It should asks for the old password and reset token should be expired once used.
Thanks!! see you soon.
