Authentication - Password reset broken logic

Objective: This lab’s password reset functionality is vulnerable. To solve the lab, reset Carlos’s password then log in and access his “My account” page.

• Your credentials: wiener:peter.
• Victim’s username: carlos.

1. The site has a Forgot password? functionality, so let’s use that for the account wiener to see how it works:

   

   

2. When we reset wiener’s password, it prompts up to check our email. So let’s login and do that:

   

   

   

3. If we examine the request when we submit a new password, we will see that it includes a username parameter which we might be able to manipulate:

   

4. We will do the process all over again, intercept the request when submitting our new password, and change the username parameter value to carlos:

   

5. Then we will login with carlos account and his new password: