Broken Authentication -Brute-Forcing Password Reset Tokens

jazz0or1 · August 28, 2024, 9:26pm

Broken Authentication Brute-Forcing Password Reset Tokens

any hint

i try ffuf -w ./tokens.txt -u http://83.136.255.40:41881/reset_password.php?token=FUZZ -fr “The provided token is invalid”

this code not solve and try again to generata another It didn’t help me either.

jaywandery · August 29, 2024, 8:25am

Hello, i believe you are doing everything correctly. Try using the token on via the url rather than the password reset button.
eg: target.com/reset)=?token=value

jazz0or1 · August 29, 2024, 10:12am

i try it and i get the pass reset but i dont know the next step Did you specify a username when resetting the password?

jaywandery · August 29, 2024, 1:21pm

Yes,the user admin exists. so i used admin as the user. Once you have reset the password, you ill have to login with the set password

jazz0or1 · August 29, 2024, 1:23pm

You mean I can log in with what I wrote in the password field in Burp and the username is admin

jaywandery · August 29, 2024, 1:24pm

Yes, exactly

Topic		Replies	Views
Help: Broken Authentication - Vulnerable Password Reset academy , academy-help	1	130	August 27, 2024
Broken Authentication Update help with 2FA Academy	11	619	September 11, 2024
Broken Auth - Need help on Authentication Bypass via Parameter Modification Academy academy	9	817	November 25, 2024
Academy web attacks skill assesment	0	430	September 10, 2022
Web Attacks - Skills Assessment Academy	30	4228	February 1, 2025

Broken Authentication -Brute-Forcing Password Reset Tokens

Related topics