Password reset broken logic

https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-broken-logic

Let's click on My account.

Click on Forgot password?. Then enter the wiener username.

Next, we have to click on Email client in order to check our emails.

Let's click on the link provided to us to reset our password.

We can enter any password. Since we are proxying the traffic through Burp Suite, we can view this request in the Proxy > HTTP History tab.

We can forward this request to the Repeater so that we can modify it.

Once in the Repeater tab, let's remove the temp-forgot-password-token parameter from the URI as well as the POST data field and send the request to the server.

We can see that our password has been changed even though we did not include the token, This means that the server sets the token but does not validate it.

Let's set the username field to the following and resend the request:

carlos

Now we can login using the following credentials:

Username	Password
carlos	password

We have solved the lab.