Open in app

Sign in

Write

Sign in

WebGoat Password Reset 6

PVXs
3 min readSep 28, 2020

WebGoat Password Reset lesson 6

In this lesson WebGoat asks to change Tom’s password and to use the new password to login as him

Password reset requested

Let’s go to the “Forgot password” form and request a reset for our password

WebWolf email client

In WebWolf mail client we get a new mail with a link to reset our password

http://192.168.56.104:8080/WebGoat/PasswordReset/reset/reset-password/bea7c52a-3b5b-4ae3-89fe-d7d383d8fe37

By reading the following WebGoat hint

The link points to localhost:8080/PasswordReset/…. can you change the host to localhost:9090?

I understand it is possible to change the link on the mail

Create password reset link HTTP request

The request created by the “Forgot password” form has a few information that can be tampered with, after some trial and error I understand that:

  • The email must be Tom’s
  • The referrer header has a host:port part but it is non influent as it can be modified/removed and the email with the correct link will be received in WebWolf mail client anyway
  • The host header can be changed to something else and the link in the email will change accordingly
test.com:8080 in Host Header

This is a request for a password reset of my account with the host header changed to something else

The resulting mail sent to the WebWolf mail client contains the link but this time it is pointing to

http://test.com:8080/WebGoat/PasswordReset/reset/reset-password/2b91187a-7122-4b10-8dd6-b4bbc88a7c20

Meaning that the host header is used to create the link inside the mail, now it is possible to use WebWolf Incoming Requests functionality, it is a basic HTTP server that receives and displays incoming requests.

The lessons tells us that Tom clicks on any reset link inside the mail as soon as he receives it, so if the link points to WebWolf host (or any an attacker controlled machine) AND it contains a working reset token for Tom’s account, when Tom’s will click on the link then WebWolf will get an incoming request pointing to the wrong host (WebWolf) but containing the correct path for Tom’s password reset

WebWolf socket in Host Header

Let’s change the Host header with WebWolf socket address

WebWolf Incoming HTTP request functionality

And on WebWolf Incoming Request we will get the link that has been clicked by Tom

http://192.168.56.104:8080/PasswordReset/reset/reset-password/69edf775-acb0-4191-98b9-28120aa36a47

Change the link socket from WebWolf socket and make it point to WebGoat socket and add /WebGoat as the original link in my own legit password reset email

Tom password reset form

Change the password to something you like

Login as Tom

Sign in as Tom and complete the lesson

This concludes WebGoat Password Reset 6

I hope you liked it.

PVXs — https://twitter.com/pivixih

Sign up to discover human stories that deepen your understanding of the world.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Infosec
Webgoat
Ctf Writeup
Password Recovery
Solutions

PVXs
PVXs

Written by PVXs

112 Followers
24 Following

IT Manager / Pentester

Responses (2)

Write a response

What are your thoughts?

More from PVXs

See all from PVXs

Recommended from Medium

Lists

Staff picks

827 stories1648 saves

Stories to Help You Level-Up at Work

19 stories948 saves

Self-Improvement 101

20 stories3355 saves

Productivity 101

20 stories2819 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams