Wednesday, 30 July 2025

Friday Fun Pentest Series - 38 - Lack of Password Change Functionality - seotoasterv2.5.0

Description

- It was noted that the application lacked password change functionality


Lack of Password Change Functionality #1

Steps to Reproduce:
  1. Login with low privilege user and see that there is no password change functionality

// HTTP POST Request

POST /seotoaster/go HTTP/1.1
Host: 192.168.58.149
Content-Length: 108
Cache-Control: max-age=0
Accept-Language: en-GB,en;q=0.9
Origin: http://192.168.58.149
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
[...]

email=test2%40example.com&password=Passw0rd%21&submit=Let+me+in&secureToken=477a9f50c8616d5ee4cabf2038fc43a3


// HTTP Response

HTTP/1.1 301 Moved Permanently
Date: Sun, 20 Jul 2025 14:44:11 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
[...]



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 38 - Lack of Password Change Functionality - seotoasterv2.5.0

Description - It was noted that the application lacked password change functionality Lack of Password Change Functionality #1 Steps to Repro...