search

labs

hashtag
Lab - 1: Basic password reset poisoning (A)

  • This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos's account. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client on the exploit server.

hashtag
how forgot password works in this lab ?

  • first test with own account wiener

  • enter name at forgot password page will make a post request

POST /forgot-password HTTP/1.1
Host: 0a2e00ee047f2fdbc0bd31ff00010045.web-security-academy.net
...
csrf=TmWD6yKuj2ZaYbUZkL6sH3f6jom3mvU3&username=wiener

  • Then Please check your email for a reset password link.

  • In email box, the following link with token is received.

https://0a2e00ee047f2fdbc0bd31ff00010045.web-security-academy.net/forgot-password?temp-forgot-password-token=WLiNjn9NG1CUePEojyt8OtuiaCr3clzi

If follow the link, reset password page is received. Then POST request to change the password.

POST /forgot-password?temp-forgot-password-token=Hg1GwkdzYSEpDG5FDG5M3gNMULH0vGPS HTTP/1.1
Host: 0a2e00ee047f2fdbc0bd31ff00010045.web-security-academy.net
...

csrf=9FlVx2UgbGDnst1PfLnKjyNdNp2h9wPi&temp-forgot-password-token=Hg1GwkdzYSEpDG5FDG5M3gNMULH0vGPS&new-password-1=peter&new-password-2=peter

hashtag
How to exploit other user

  • test the Host header for POST request with other Hosts

  • Email still received with the following link

  • change the Host header to exploit server and change the user name to other user

  • Then look at the exploit server log and found a GET request with token.

  • use that token to get the change password page for other user

hashtag
Lab - 2: Password reset poisoning via middleware (P)

  • This lab is vulnerable to password reset poisoning. The user carlos will carelessly click on any links in emails that he receives. To solve the lab, log in to Carlos's account. You can log in to your own account using the following credentials: wiener:peter. Any emails sent to this account can be read via the email client on the exploit server.

hashtag
Lab - 3: Password reset poisoning via dangling markup (E)

plan after XSS

hashtag
Lab - 4: Web cache poisoning via ambiguous requests

  • This lab is vulnerable to web cache poisoning due to discrepancies in how the cache and the back-end application handle ambiguous requests. An unsuspecting user regularly visits the site's home page. To solve the lab, poison the cache so the home page executes alert(document.cookie) in the victim's browser.

  • add second Host header with exploit server and see where it is reflected

  • in exploit server File path: /resources/js/tracking.js

  • in exploit server Body : alert(document.cookie)

hashtag
Lab 5 : Host header authentication bypass (A)

  • This lab makes an assumption about the privilege level of the user based on the HTTP Host header. To solve the lab, access the admin panel and delete Carlos's account.

  • admin route can be found at /admin

hashtag
Lab - 6: Routing-based SSRF (P)

  • This lab is vulnerable to routing-based SSRF via the Host header. You can exploit this to access an insecure intranet admin panel located on an internal IP address. To solve the lab, access the internal admin panel located in the 192.168.0.0/24 range, then delete Carlos.

PreviousnotesNextHTTP Request Smuggling

Last updated