Webgoat - Password reset

Webgoat – Password reset

In this walk through, we will be going through the Password reset vulnerability section from Webgoat Labs. We will be exploring and exploiting Insecure Password reset functionalities and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

Password reset

1. Email functionality with WebWolf

  • In this challenge, we have to abuse the email functionality in WebWolf. The below screenshot shows a login page which demands an email and password combination.

1. Email functionality with WebWolf

  • As we have access to the mailbox and the application is directing all mails to this. We have a easy win here.

Attacker mailbox

  • Added victim username in the forget password field.

Forget password

email sent

  • Got the password in the mail box.

got password

kratos:sotark

challenge completed

2. Security questions

  • In this challenge, we will bypass the login by exploiting weak security questions. The below page shows two security questions to get access to the user account. The username and the his favorite color. We already know the target username and the color can be easily guessable.

2. Security questions

  • I tried username as admin and color as green and got in successfully.

Challenge completed

3. The Problem with Security Questions

  • In this task, we will get to know the issues with the security questions. As most of the security questions are develop to help user to get his account back easily, unfortunately they are either easily guessable or can be cracked by an attacker by doing some OSINT on the target. Hence, the user of security questions in password reset mechanism should be prohibited in this age.

3. The Problem with Security Questions

favorite animal

first kissed

  • In this challenge we have to reset the password of user Tom by abusing the password reset functionality which sends an email to the user in his inbox with a link to change the password.

4. Creating the password reset link

Forget password

  • I first send the link to my username to check how the password reset has been implemented.

email sent

  • As per the email received, we have been given a password reset link. Clicking on link takes me to a page where i can enter any new password for my account.

Password link sent

password reset URL

Reset Password

Password changed

  • I intercepted the request via Burpsuite and changed the Host header field to that of our WebWolf attacker server and sent the request further. As we can see the email was successfully sent to the user’s inbox.

Burpsuite intercept

POST request

Burpsuite Response

  • As we have changed the host header field we are now able to capture the request in our WebWolf server and can see the password reset link with token in the uri field.

Captured request

  • Changed the link to that of our Webgoat server and changed the user’s password.

http://localhost/WebGoat/PasswordReset/reset/reset-password/cbc3bb24-cd95-4285-9939-5aa930f7358d

Password changed

  • Login as user Tom with new password and complete the challenge.

Challenge completed

Also Read: Webgoat – Logging Security

Conclusion:

Conclusion

So, we finally completed the Webgoat Password reset Vulnerability section. Next, we can mitigate these types of attacks by making sure that the password reset token is being securely sent to the concerned user. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top