Secure Legion Labs
Labs / Authentication / Password Reset Poisoning

Broken Authentication Lab

Password Reset Poisoning

This room simulates a reset workflow that builds the reset URL from untrusted request metadata. Your goal is to poison the generated reset link so a privileged account’s reset token is sent to an attacker-controlled host.

ObjectivePoison the reset linkInfluence the host used in the password reset URL generation.
DifficultyMediumTeaches trust boundaries around reset workflows and host/header handling.
FlagUnlock on poisoned admin resetThe flag appears when the privileged reset link is built against attacker infrastructure.
Request Model

What the reset flow accepts

  • TargetAccount email
  • MetadataHost value used in link generation
  • GoalMake the reset link point to attacker infrastructure
Hint: The real question is not whether a reset token is created. It is whether the application can be tricked into delivering that token somewhere the attacker controls.
Broken Logic

What the application gets wrong

The reset service uses an untrusted host value directly in the email link. For a sensitive account, that turns the reset email into a token delivery mechanism for the attacker.

resetLink = "https://" + request.host + "/reset?token=" + token
sendMail(user.email, resetLink)
// missing trusted app domain enforcement
Reset Console

Generate a reset link

Choose an email target and influence the host value used in the generated reset email.

Current request: POST /api/reset
{ "status": "idle" }
Observed note: The mailer team recently moved reset links behind a proxy and now trusts request metadata to rebuild the public URL.
Email preview
Generated Reset Mail

Rendered result

The preview below shows the reset email the application would send. The problem appears when a privileged account’s reset link points to an attacker-controlled host.

No reset request generated.

Status: waiting for a reset request.

Flag Unlock

Challenge flag

The flag appears once the privileged reset link is poisoned successfully.

Flag:
Submit Flag

Validate completion

Submit the unlocked flag to complete the password reset poisoning room.

Flag is locked until you poison the privileged reset link.

Execution Path

How the reset poisoning works here

1. Request reset

The attacker triggers a normal password reset flow for a target account.

2. Influence host

The application builds the reset URL from untrusted request metadata instead of a fixed trusted domain.

3. Receive token elsewhere

The resulting reset link now points to attacker infrastructure and leaks the token.