In this walk through, we will be going through the Password reset vulnerability section from Webgoat Labs. We will be exploring and exploiting Insecure Password reset functionalities and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.
Table of Contents
1. Email functionality with WebWolf
- In this challenge, we have to abuse the email functionality in WebWolf. The below screenshot shows a login page which demands an email and password combination.
- As we have access to the mailbox and the application is directing all mails to this. We have a easy win here.
- Added victim username in the forget password field.
- Got the password in the mail box.
kratos:sotark
2. Security questions
- In this challenge, we will bypass the login by exploiting weak security questions. The below page shows two security questions to get access to the user account. The username and the his favorite color. We already know the target username and the color can be easily guessable.
- I tried username as admin and color as green and got in successfully.
3. The Problem with Security Questions
- In this task, we will get to know the issues with the security questions. As most of the security questions are develop to help user to get his account back easily, unfortunately they are either easily guessable or can be cracked by an attacker by doing some OSINT on the target. Hence, the user of security questions in password reset mechanism should be prohibited in this age.
4. Creating the password reset link
- In this challenge we have to reset the password of user Tom by abusing the password reset functionality which sends an email to the user in his inbox with a link to change the password.
- I first send the link to my username to check how the password reset has been implemented.
- As per the email received, we have been given a password reset link. Clicking on link takes me to a page where i can enter any new password for my account.
- I intercepted the request via Burpsuite and changed the Host header field to that of our WebWolf attacker server and sent the request further. As we can see the email was successfully sent to the user’s inbox.
- As we have changed the host header field we are now able to capture the request in our WebWolf server and can see the password reset link with token in the uri field.
- Changed the link to that of our Webgoat server and changed the user’s password.
http://localhost/WebGoat/PasswordReset/reset/reset-password/cbc3bb24-cd95-4285-9939-5aa930f7358d
- Login as user Tom with new password and complete the challenge.
Also Read: Webgoat – Logging Security
Conclusion:
So, we finally completed the Webgoat Password reset Vulnerability section. Next, we can mitigate these types of attacks by making sure that the password reset token is being securely sent to the concerned user. On that note, i will take your leave and will meet you in next one with another Webgoat vulnerability writeup, till then “Keep Hacking”.