First, make sure python3 and pip are installed on your host machine. After installation, we go to the folder of the lab we want to practise "i.e /skf-labs/XSS/, /skf-labs/jwt-secret/ " and run the following commands:
Now that the app is running let's go hacking!
Reconnaissance
Step1
The first step is to understand how the password reset functionality works. We identify that there is a /forget endpoint that serves the password reset page.
Step2
Submit a username to the password reset form to generate a reset token.
Step3
Observe that the reset token is generated using the current timestamp and the username. The token generation logic is as follows:
Step4
We can exploit this logic by generating the token ourselves. First, get the current time and username. Then, use the same logic to create a token.
Step5
Use the generated token to reset the password by navigating to the following URL:
Exploitation
Now that we understand the vulnerability, we can use it to reset any user's password by generating a valid token and navigating to the reset link.
Step1
Create a script to automate token generation and password reset.
Step 2
Use the generated link to reset the password and Voila We made it!
Additional sources
Please refer to the OWASP testing guide for a complete description of password reset vulnerabilities and edge cases over different platforms!
