Info 📜:

This lab's password reset functionality is vulnerable.

Goal 🎯:

To solve the lab:

• Reset Carlos's password, then log in and access his "My Account" page.
• Your credentials: wiener:peter
• Victim's username: carlos

How to Solve the Lab 🛠️

1. Open the lab and log in with your credentials 🔑:
   • username: wiener
   • password: peter
2. Click on "Forgot Password" 🔐.
3. Enter Wiener as the username and set a new password, for example, hacker.
4. Go to Burp Suite and open HTTP History 🔍.
5. Catch the request with the URL /forgot-password?temp-forgot-password-token using the POST Method.
6. Send the request to Repeater 🔄.
7. The parameter temp-forgot-password-token=s8kx4aivncdm5fxpougtwysehn4zwvdv is not important for us to change Carlos’s password, as it’s for Wiener. Every user on the system has a unique token.
8. What happens if we delete the token and change the username to Carlos and the password to victim?

• You will get a 302 redirect, like you logged in normally.

1. Try to log in using Carlos's credentials:
   • username: carlos
   • password: victim