9.5 Lab: Exploiting time-sensitive vulnerabilities | 2024

This lab contains a password reset mechanism. Although it doesn’t contain a race condition, you can exploit the mechanism’s broken cryptography by sending carefully timed requests.

To solve the lab:

Identify the vulnerability in the way the website generates password reset tokens.Obtain a valid password reset token for the user carlos.Log in as carlos.Access the admin panel and delete the user carlos.

You can log into your account with the following credentials: wiener:peter.

Navigate to My Account and click Forgot Password.Type wiener, send the request, then capture the request and send it to the repeater 2 times.In one of the tabs in the repeater,
Change POST to GET,
Remove PHP session Cookie,
Remove the Body — CSRF and Username
and send the request.In the response, you’ll get a new session value and CSRF token, use the search functionality in the response and search it.Now, Undo the changes in request and replace the new session cookie and CSRF Value.You can easily get this by sending the get /forgot-password, but I’m just sharing my method, that will be easier than this if you understand (Use the Video for Better Understanding).Add the two requests into a group and change the value of the username to Carlos in one of the requests.Check your email Client, you would have received an email.Copy and paste the link in a new tab, replace the values of username to carlos, and hit Enter.You will now see the page to change the password for user carlos.Now Log in to carlos Account with the password that you created.Navigate to Admin Panel and delete user Carlos to solve the Lab

If you receive an HTTP/1 version error, then send the request separately once and then send it in Group parallelly