Lan link.
The lab description says it is vulnerable to a password reset poisoning vulnerability. At first, we reset the password of the wiener user to understand the system structure.
Specifying username in the POST /forgot-password request is enough to request a password, if we can manipulate this request with X-Forwarded-Host, the email for username will go to our exploit server
If we look at the access log, we see that we get the value “temp-forgot-password-token=” and if we put this value in the token value in the URL, we reset the password of the user carlos.
