BOOK THIS SPACE FOR AD
ARTICLE AD0xhashimGateway
The first lab is vulnerable to a common password reset vulnerability known as a Host Header Attack.
First, we need to create a new victim account. After that, we can test the reset function.
The application sends a reset link containing the site name, lab name, and the reset token. We can attempt to poison this reset link using our Burp Collaborator via the Host header. We observed that the modified link is reflected in the victim’s email. By acting as the unsuspecting victim and clicking the link received in the email, we obtain our token in the Referer header found in the Collaborator interaction history.
Now we can visit the link and replace the Collaborator link with localhost, allowing us to successfully change the password.
0xcipheredCrossings
0xcipheredCrossingsThis lab focuses on Insecure Direct Object References (IDOR). To solve it, we need two different accounts: a victim and an attacker.
The application sends a link containing a GET parameter called uid, which is definitely a user ID.
You can observe that the uid parameter has the same structure for different users.
It’s rndS@l<some_text>t. This <some_text> is base64 encoded, when we try to decode it, it gives us a number.
online base64 encoder/decoderNow we can easily pick a number, encode it to Base64, and attempt to change the password for another user by modifying the value of the uid parameter. And boom, we did it!
0xlockdownLabyrinth
This lab is based on a report I’ve read on HackerOne. I’ve simulated the API misconfiguration by making the PHP code send the same reset token to both the victim and the attacker.
However, Let’s send the reset message and take a look on the POST Request.
If we try to send a reset token to the attacker ( NOT REGISTERED ) it gives us a 400 — bad request status code. But what if we send this request to both users victim , attacker?
Yeah, that’s right. now we can go to the attacker mail and change the victim password.
0xcrypticCitadel
The last lab was a little bit different. After sending the reset email, it seems there’s a One-Time Password (OTP) instead of a reset token, or even a much stronger OTP xD
OTPYeah, the first thing that comes to mind is brute-forcing it. You’re somewhat right; let’s attempt brute-forcing with BURP INTRUDER.
It’s seems that the APP blocks your IP ADDRESS after some incorrect attempts. But, how the app identify your IP??
After some tries you will find out that it allows the X-Forwarded-For HTTP Header. When you give it a new IP via this header it doesn’t care about your WRONG attempts.
So, let’s try again with BURP INTRUDER.
After some attempts we’ll get a Status code of 200 — OK.
Conclusion
A big thank you to all of you! Your curiosity make our cybersecurity journey exciting and meaningful. Keep exploring and learning!