Application Analysis
Gift List is a gift wishlist management application. Users can:
- Create and manage personal gift lists
- View received messages via a
/messagesinbox (no send functionality exposed to regular users) - Administrators have a dedicated login portal at
/admin-login
Vulnerability Discovery
The /admin-login page is linked as a small text link at the bottom of the login form. The flow works as follows: an admin requests a code, which gets delivered to their inbox and they use it to authenticate. The frontend confirms with Code sent to administrator inbox.
Looking at the request in Caido, POST /admin-login/send-code sends the recipient as a hidden form field:
POST /admin-login/send-code HTTP/1.1
Host: lab-1775713626780-nr30h6.labs-app.bugforge.io
Content-Type: application/x-www-form-urlencoded
username=administratorThe server delivers the admin code to that username’s /messages inbox without verifying it’s actually the administrator account. The recipient is fully attacker-controlled.
Exploitation
I changed username to my own account and sent the request:
POST /admin-login/send-code HTTP/1.1
Host: lab-1775713626780-nr30h6.labs-app.bugforge.io
Content-Type: application/x-www-form-urlencoded
username=cyb3r7hr347The code appeared in my /messages inbox. I submitted it on /admin-login and received an admin session and the flag.