Add weak password reset functionalities solution

2 files changed, 8 insertions, 0 deletions

diff --git a/Weak password reset functionalities/Resources/notes.md b/Weak password reset functionalities/Resources/notes.md
new file mode 100644
index 0000000..bac2ecd
--- /dev/null
+++ b/Weak password reset functionalities/Resources/notes.md
@@ -0,0 +1,7 @@
+## Exploit
+
+The `"mail"` field of the **Recover Password** page can be inspected and edited and anyone. Open `http://10.0.2.15/?page=recover` with Firefox and change the value of the `<input name="mail" …>` element before submitting the request. Alternatively, one may also use a script like the one provided in `reset.bash`.
+
+## Fix
+
+The problem here is that the server is trusting a client-supplied address instead of looking it up server-side. The client should supply a username/account identifier and the server must match it against its email in the database.
diff --git a/Weak password reset functionalities/Resources/reset.bash b/Weak password reset functionalities/Resources/reset.bash
new file mode 100755
index 0000000..e60803e
--- /dev/null
+++ b/Weak password reset functionalities/Resources/reset.bash
@@ -0,0 +1 @@
+curl --silent --data-urlencode mail=hacker@example.com --data Submit=Submit 'http://10.0.2.15/?page=recover' | grep flag