Lab: Password reset broken logic

login as wiener password peter

wiener:peter

then logout as wiener

click forgot password

when we visited the client email

we can see the password reset

password:password

try login as wiener with password

success

Now we can see the request of forgot password or change password

The token is actually not connected to the username account

So if we just change it to any other value

We can set a new password for that user

try login as wiener

wiener:newpassword123

success again

therefore we can exploit other account name or usename

to change their password

CHANGE THE PASSWORD OF CARLOS

which in the first place we dont know the password of that user

try login as carlos

carlos:newpassword123

its a success we can login as different user

PreviousAuthenticationNextLab: Username enumeration via different responses

Last updated