# LAB - Insecure Token Management In this lab environment, you will have GUI access to a Debian machine. An application named **HeyDoc** is available on the Android Emulator. **Objective:** Your task is to find issues with HeyDoc's access token management and understand how they can be exploited to gain unauthorized access. The valid credentials for the **HeyDoc** app are as follows: * **Username:** alice * **Password:** Bazinga\@12345# **HeyDoc's** app backend code is available at the following location for analysis: * /home/student/Desktop/heydoc-backend ***

Frist, run the andorid emultor and up the APP. After it, we can see a Reset Password Option, so... configurate the proxi --> ``` ## View us IP hostname -I ## Set local proxy adb shell settings put global http_proxy :8080 ``` Now intercept the reset password peticion -->

This app know we are alice because we have a token, if we can enumate other token, maybe we can change the password of other user But I can see one stranger thing into the token: "token\_number", if i change 101 by 102, i can change the password of others users -->

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/ine-emapt/android-dynamic-testing/labs-api/lab-insecure-token-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.