0xhashimRESETriddle: Vulnerable Web Application

5 min readJun 17, 2024

Hey, Hackers This’s mrhashimamin And today i’m back with a new vulnerable web application that includes some nice ideas. So, let’s talk about 0xhashimRESETriddle.

It consists of 4 labs, Each lab has a broken password reset function leads to Account takeover (ATO).

Installation

1- Clone the repository at your localhost

git clone https://github.com/mrhashimamin/0xhashimRESETriddle.git

2- Initialize MYSQL Database using the setup.py script

python setup.py

3- Clone the phpmailer repository inside the phpmailer directory

mkdir path-to-your-localhost/0xhashimRESETriddle/phpmailer
cd path-to-your-localhost/0xhashimRESETriddle/phpmailer
git clone https://github.com/PHPMailer/PHPMailer.git
cd PHPMailer/
mv * path-to-your-localhost/0xhashimRESETriddle/phpmailer/
cd ../
rmdir PHPMailer/

4- If you have modified MYSQL database username/password

nano path-to-your-localhost/0xhashimRESETriddle/backend/connect.php
// Modify MYSQL username/password as yours

0xhashimGateway

The first lab is vulnerable to a common password reset vulnerability known as a Host Header Attack.

First, we need to create a new victim account. After that, we can test the reset function.

The application sends a reset link containing the site name, lab name, and the reset token. We can attempt to poison this reset link using our Burp Collaborator via the Host header. We observed that the modified link is reflected in the victim’s email. By acting as the unsuspecting victim and clicking the link received in the email, we obtain our token in the Referer header found in the Collaborator interaction history.

Now we can visit the link and replace the Collaborator link with localhost, allowing us to successfully change the password.

0xcipheredCrossings

This lab focuses on Insecure Direct Object References (IDOR). To solve it, we need two different accounts: a victim and an attacker.

The application sends a link containing a GET parameter called uid, which is definitely a user ID.

You can observe that the uid parameter has the same structure for different users.

reset link for attacker

It’s rndS@l<some_text>t. This <some_text> is base64 encoded, when we try to decode it, it gives us a number.

Now we can easily pick a number, encode it to Base64, and attempt to change the password for another user by modifying the value of the uid parameter. And boom, we did it!

0xlockdownLabyrinth

This lab is based on a report I’ve read on HackerOne. I’ve simulated the API misconfiguration by making the PHP code send the same reset token to both the victim and the attacker.

However, Let’s send the reset message and take a look on the POST Request.

If we try to send a reset token to the attacker ( NOT REGISTERED ) it gives us a 400 — bad request status code. But what if we send this request to both users victim , attacker?

Yeah, that’s right. now we can go to the attacker mail and change the victim password.

0xcrypticCitadel

The last lab was a little bit different. After sending the reset email, it seems there’s a One-Time Password (OTP) instead of a reset token, or even a much stronger OTP xD

Yeah, the first thing that comes to mind is brute-forcing it. You’re somewhat right; let’s attempt brute-forcing with BURP INTRUDER.

It’s seems that the APP blocks your IP ADDRESS after some incorrect attempts. But, how the app identify your IP??

After some tries you will find out that it allows the X-Forwarded-For HTTP Header. When you give it a new IP via this header it doesn’t care about your WRONG attempts.

So, let’s try again with BURP INTRUDER.