Burp Suite User Forum

Login to post

Password reset poisoning Lab issue

arun | Last updated: Jun 29, 2020 09:31PM UTC

Victim never makes call to forgot password through exploit url

Liam, PortSwigger Agent | Last updated: Jun 30, 2020 07:20AM UTC

Which lab are you referring to?

Greg | Last updated: Oct 03, 2020 07:52PM UTC

I never get a reply either using this lab https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning/lab-host-header-basic-password-reset-poisoning

Michelle, PortSwigger Agent | Last updated: Oct 05, 2020 01:32PM UTC

Have you updated the username parameter in the request as well as updating the host header to be your-exploit-server-id.web-security-academy.net?

Hussain | Last updated: Oct 13, 2020 08:45PM UTC

Hi, I did everything step by step but in access log I don't find any request for GET /forgot-password with the temp-forgot-password-token parameter containing Carlos's password reset token". I tried like 15 times. Kindly help to complete this lab.

Michelle, PortSwigger Agent | Last updated: Oct 14, 2020 03:41PM UTC

When we've checked this lab a GET /forgot-password request is appearing in the access log on the exploit server. Keep trying and check the details of the request you send in step 6 of the solution, the 'Host' header should match your exploit server's domain and you also need to change the username parameter lower down. Good luck!

Tharaka | Last updated: Oct 18, 2020 04:34PM UTC

Hi, I have the same issue. Access log not show the GET /forgot-password request.

Hannah, PortSwigger Agent | Last updated: Oct 19, 2020 07:54AM UTC

Have you tried following a video solution? I have just tested the lab and can confirm it is working as expected.

Ashok | Last updated: Oct 20, 2020 11:43AM UTC

i do have the same problem, not showing a forget password get log!!!!

Hannah, PortSwigger Agent | Last updated: Oct 20, 2020 12:48PM UTC

Have you tried following a video solution like this one? https://youtu.be/kgaubKLduh4 I have just retried this lab and have not had any issues completing the lab. Please make sure that you are using your exploit server as the Host in your request (or as shown in the video example you could add the X-Forwarded-Host header).

Youil | Last updated: Nov 10, 2020 03:15AM UTC

Hello, I've attempted this several times - i got the proxy setup for localhost:8080. i'm getting all the header intercepts, i've watched several videos. Except I never see the PUSH /forgot-password header come in. Is there something I might be doing wrong, everything else is coming in ok. I turned off my VPN and I have a stub resolver for DNS over TLS. Is that possibly causing some issue?

Hannah, PortSwigger Agent | Last updated: Nov 11, 2020 04:38PM UTC

Hi Are you checking your access log for a GET request? You won't be seeing this come through your Burp proxy.

Anonymous | Last updated: Dec 18, 2020 06:59AM UTC

Hi, I was having same problem after adding X-Forwarded-Host and username=carlos%40aca31fb91ebd997b80ba6ec3011e006a.web-security-academy.net This worked username=carlos (here should only be username not like carlos@asfdsfasdffa...)

Marc | Last updated: Jan 18, 2021 08:00PM UTC

Something is wrong with this lab. You never see in the access log anything about a GET /forgot-password with the temp-forgot-password-token parameter. Not even when you do the original password reset! All the access log sees is internal access by accessing email and the log. Look, this is all that is recorded: 2021-01-18 07:55:15 +0000 "POST / HTTP/1.1" 302 "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" 2021-01-18 07:55:16 +0000 "GET /log HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" 2021-01-18 07:55:42 +0000 "GET / HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" 2021-01-18 07:55:46 +0000 "POST / HTTP/1.1" 302 "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" 2021-01-18 07:55:46 +0000 "GET /email HTTP/1.1" 200 "User-Agent: Mozilla/5.0 (X11; Ubuntu;

Hannah, PortSwigger Agent | Last updated: Jan 19, 2021 09:41AM UTC

Have you changed the full username value to just "carlos"? I have just tested this lab and can confirm it is working as expected.

Marc | Last updated: Jan 19, 2021 04:12PM UTC

Yes. Is this some kind of bot answering these posts?

Hannah, PortSwigger Agent | Last updated: Jan 19, 2021 04:17PM UTC

Hi Marc Sorry to disappoint, I'm not a bot. Could you tell me the browser you are using to complete the lab? I've tested on both the inbuilt Chromium browser and Firefox proxied through Burp. You won't get any access requests in your original password reset, as the Host header will not be set to that of the exploit server.

Marc | Last updated: Jan 19, 2021 04:40PM UTC

For some odd reason, it's working now. Maybe it was just changing the user name to carlos only, and I wasn't paying attention. ¯\_(ツ)_/¯

Hannah, PortSwigger Agent | Last updated: Jan 19, 2021 04:49PM UTC

Hi Marc Glad to hear you're able to complete it now. Enjoy the rest of the labs!

Pratik | Last updated: Jul 18, 2021 09:06AM UTC

it didnt work in mine.Please help me

Hannah, PortSwigger Agent | Last updated: Jul 21, 2021 09:05AM UTC

Hi Pratik. Have you tried following any of the video solutions linked above?

Shivamshaurabh | Last updated: Aug 20, 2021 06:50AM UTC

When we select the forgot password through httphistory and send the request to burp repeater and send the request I get the the bad request.......I tried 1st way to redirect through host ..2nd ..3rd also but it not helpful......

Hannah, PortSwigger Agent | Last updated: Aug 20, 2021 08:58AM UTC

I can confirm that the lab is working as expected. Have you tried watching a Community video solution (found underneath the written solution)? Additionally, if you are still having issues, try unloading all extensions in case they are modifying your traffic.

GERMAN | Last updated: Mar 27, 2023 12:51AM UTC

I face a similar issue, according to this https://portswigger.net/research/browser-powered-desync-attacks It is not a lab problem, It's a HTTP handling anomaly In my case the flaw was "First-request routing"

Pedro | Last updated: Mar 27, 2023 04:52PM UTC

why when i use Get to exploit server the response is URL:https://exploit in the lab Basic Password Reset Poisoning? URL: https://exploit-0ab000cb04286a21c1ee270401a3006a.exploit-server.net/exploit

Pedro | Last updated: Mar 27, 2023 04:54PM UTC

Y me sucede lo mismo que Marc: Algo anda mal con este laboratorio. Nunca ve en el registro de acceso nada sobre un GET /forgot-password con el parámetro temp-forgot-password-token. ¡Ni siquiera cuando restableces la contraseña original! Todo lo que ve el registro de acceso es acceso interno al acceder al correo electrónico y al registro. Mira, esto es todo lo que está registrado: 2021-01-18 07:55:15 +0000 "POST/HTTP/1.1" 302 "User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko /20100101 Firefox/84.0" 2021-01-18 07:55:16 +0000 "GET /log HTTP/1.1" 200 "Agente de usuario: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0" 2021-01-18 07:55:42 +0000 "GET/HTTP/1.1" 200 "Agente de usuario: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0 " 2021-01-18 07:55:46 +0000 "POST/HTTP/1.1"

Pedro | Last updated: Mar 27, 2023 07:28PM UTC

Hello, finally I was able to solve the laboratory. I was making a typo by not including the word exploit at the beginning of the URL: https://exploit thank you

fernando | Last updated: Apr 10, 2023 08:37PM UTC

Hi, i am not receiving any email in my wiener server(email), when i change the Host: for other in burp suite, example "Host: aaaaaaaaaaaaaaaaaaaaaaaaa" and i keep the "&username=wiener" (test) if i chage to Host: exploit-0ae80030046b8bce8423267c0139004e.exploit-server.net, i get the error HTTP/2 421 Misdirected Request Content-Length: 12 Invalid host I can't do the tests to be able to send the POST with the fields changed by Carlos and "Host: exploit-0ae80030046b8bce8423267c0139004e.exploit-server.net". i followed the tutorial https://www.youtube.com/watch?v=24IsNsLWtco&t=3s&ab_channel=MichaelSommer but its not work for me. Could you help me. thanks

PeanutButter69 | Last updated: Apr 12, 2023 02:07PM UTC

hi i got invalid host can you help me thanks

PeanutButter69 | Last updated: Apr 12, 2023 02:11PM UTC

please help i cant solve this lab, followed all the steps correctly

Ben, PortSwigger Agent | Last updated: Apr 13, 2023 10:36AM UTC

Hi, Currently, you would need to alter your Repeater request so that it uses HTTP/1. If you navigate to the Inspector pane, expand the Request attributes section and then switch the Protocol setting to HTTP/1 you should then be able to issue the malicious request in Repeater and subsequently solve the lab.

Jan | Last updated: May 26, 2023 09:59AM UTC

Thanks, Switching to HTTP/1 worked.

You need to Log in to post a reply. Or register here, for free.