Password reset broken logic
Let's clink on My account
.
Clink on Forgot password?
. Then enter the wiener
username.
Next, we have to click on Email client
in order to check our emails.
Let's click on the link provided to us.
We can enter any password.
Since we are proxying the traffic through Burp Suite, we can view this request in the Proxy > HTTP History
tab.
We can forward this request to the Repeater
so that we can modify it.
Once in the Repeater
tab, let's remove the temp-forgot-password-token
parameter from the URI as well as the POST data field and send the request to the server.
We can see that our password has been changed even though we did not include the token, This means that the server sets the token but does not validate it.
Let's set the username
field to the following and resend the request:
carlos
Now we can login using the following credentials:
Username | Password |
---|---|
carlos | password |
We have solved the lab.