info :
This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives.
Goal :
To solve the lab, log in to Carlos's account. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client on the exploit server.
🛠️ Tools Required:
- Burp Suite (for intercepting and modifying HTTP requests)
- Exploit Server (for capturing the stolen reset token)
🧑💻 Steps to Exploit:
1️⃣ Start Burp Suite
- Launch Burp Suite and configure it to intercept HTTP requests.
- Observe the password reset functionality.
2️⃣ Capture the Reset Request
- Click on the "Forgot your password?" link on the target application.
- Observe that an email is sent with a link containing a unique reset token (used for password recovery).
3️⃣ Send to Burp Repeater
- Send the
POST /forgot-password request to Burp Repeater to modify and analyze the request.
- Pay attention to the
X-Forwarded-Host header. This header allows you to manipulate the link generated for password reset and point it to an arbitrary domain.
4️⃣ Configure X-Forwarded-Host
- Go to the Exploit Server (where you want to capture the stolen token).