HackThisSite - Basic Level 4 - Insecure Password Recovery via Request Manipulation
This time, Sam had the brilliant idea đź’ˇ to write a script that would email his password to him in case he forgot it.
In this challenge, you’re presented with the following screen:
When you hit the button “Sent password to Sam”, you can immediately see what’s happening using your DevTools:
It’s just a simple POST request to the following endpoint:
1
https://www.hackthissite.org/missions/basic/4/level4.php
With a payload that looks like this:
From here, it’s game over. You can intercept that POST request using for example Burp Suite:
And then, simply change the email value to your own:
Forward the request, and Sam’s password will land straight in your email inbox 📬:
So there it is, the password is: 3c752fe0
Security Recommendations
Credentials should never be hardcoded or sent via email. Instead, applications must use secure, single‑use password reset links for account recovery.
Sensitive actions like account recovery must require proper authentication and enforce strict server‑side validation. Additionally, password-related endpoints should be protected with rate limiting and monitoring to detect abuse, and passwords must always be stored using strong hashing and salting algorithms to prevent disclosure even if the system is compromised.