0xhashimRESETriddle: Vulnerable Web Application
Hey, Hackers This’s mrhashimamin
And today i’m back with a new vulnerable web application
that includes some nice ideas. So, let’s talk about 0xhashimRESETriddle
.
It consists of 4 labs, Each lab has a broken password reset function leads to Account takeover (ATO)
.
Installation
1- Clone the repository at your localhost
git clone https://github.com/mrhashimamin/0xhashimRESETriddle.git
2- Initialize MYSQL Database using the setup.py
script
python setup.py
3- Clone the phpmailer
repository inside the phpmailer
directory
mkdir path-to-your-localhost/0xhashimRESETriddle/phpmailer
cd path-to-your-localhost/0xhashimRESETriddle/phpmailer
git clone https://github.com/PHPMailer/PHPMailer.git
cd PHPMailer/
mv * path-to-your-localhost/0xhashimRESETriddle/phpmailer/
cd ../
rmdir PHPMailer/
4- If you have modified MYSQL database username/password
nano path-to-your-localhost/0xhashimRESETriddle/backend/connect.php
// Modify MYSQL username/password as yours
0xhashimGateway
The first lab is vulnerable to a common password reset vulnerability known as a Host Header Attack
.
First, we need to create a new victim
account. After that, we can test the reset function.
The application sends a reset link containing the site name, lab name, and the reset token. We can attempt to poison this reset link using our Burp Collaborator
via the Host header
. We observed that the modified link is reflected in the victim’s email. By acting as the unsuspecting victim and clicking the link received in the email, we obtain our token in the Referer header
found in the Collaborator interaction history
.
Now we can visit the link and replace the Collaborator link with localhost
, allowing us to successfully change the password.
0xcipheredCrossings
This lab focuses on Insecure Direct Object References (IDOR)
. To solve it, we need two different accounts: a victim and an attacker
.
The application sends a link containing a GET
parameter called uid
, which is definitely a user ID
.
You can observe that the uid
parameter has the same structure for different users.
It’s rndS@l<some_text>t
. This <some_text> is base64
encoded, when we try to decode it, it gives us a number.
Now we can easily pick a number, encode it to Base64
, and attempt to change the password for another user by modifying the value of the uid
parameter. And boom, we did it!
0xlockdownLabyrinth
This lab is based on a report I’ve read on HackerOne. I’ve simulated the API misconfiguration
by making the PHP code send the same reset token
to both the victim and the attacker
.
However, Let’s send the reset message and take a look on the POST Request
.
If we try to send a reset token to the attacker ( NOT REGISTERED
) it gives us a 400 — bad request
status code. But what if we send this request to both users victim , attacker
?
Yeah, that’s right. now we can go to the attacker mail and change the victim password.
0xcrypticCitadel
The last lab was a little bit different. After sending the reset email, it seems there’s a One-Time Password (OTP)
instead of a reset token, or even a much stronger OTP xD
Yeah, the first thing that comes to mind is brute-forcing
it. You’re somewhat right; let’s attempt brute-forcing with BURP INTRUDER
.
It’s seems that the APP blocks your IP ADDRESS
after some incorrect attempts. But, how the app identify your IP
??
After some tries you will find out that it allows the X-Forwarded-For
HTTP Header. When you give it a new IP
via this header it doesn’t care about your WRONG
attempts.
So, let’s try again with BURP INTRUDER
.
After some attempts we’ll get a Status code of 200 — OK
.
Conclusion
A big thank you to all of you! Your curiosity make our cybersecurity journey exciting and meaningful. Keep exploring and learning!