We were able to reset a password by providing the username or email and receiving the reset link via email.
We added an X-Forwarded-Host header with the exploit server URL and sent the password reset request again:
We observed in our email that the password reset link URL had been replaced with the exploit server link we supplied:
This happened because we were able to poison the middleware: the application used the attacker-controlled X-Forwarded-Host value when generating the password reset URL, causing internal requests or links to be rewritten to the supplied host.
We sent the request with the username set to carlos and checked the web server access logs. We observed the reset token link being requested from an internal IP as a GET request:
We visited the token link using the normal browser and were able to change Carlos’s password:
We reset the password, logged in as Carlos, and solved the lab:
