Skip to main content

Password reset broken logic

1

Let's clink on My account.

2

Clink on Forgot password?. Then enter the wiener username.

3

Next, we have to click on Email client in order to check our emails.

5

Let's click on the link provided to us.

6

We can enter any password.

Since we are proxying the traffic through Burp Suite, we can view this request in the Proxy > HTTP History tab.

7

We can forward this request to the Repeater so that we can modify it.

Once in the Repeater tab, let's remove the temp-forgot-password-token parameter from the URI as well as the POST data field and send the request to the server.

8

We can see that our password has been changed even though we did not include the token, This means that the server sets the token but does not validate it.

Let's set the username field to the following and resend the request:

carlos

9

Now we can login using the following credentials:

UsernamePassword
carlospassword

10

11

We have solved the lab.

12