Heyyy, quite often with these labs we don't get access to the source code but at the end of a topic we review the mitigations / defenses. Request noted though! Maybe I can put together some simple code snippets for some examples.
@intigriti I don't get why reset_token was added to the field parameter? field=reset_token. Aren't they both parameters? What is the logic behind this?
The "field" is indeed the parameter, but since we saw "email" was a valid value for the field parameter, it makes sense that other form fields on the page would also be accepted ("reset_token" in this case).
Which part? Is it not realistic that a company would have an internal API, not accessible through the internet? Or that they might pass some user input to that API? 🤔
Undocumented functionality is the source of many vulnerabilities! You could have an undocumented function with an XSS or SQLi vulnerability, why not one with a parameter pollution vuln? 🙂