Password Reset Token Leak via X-Forwarded-Host
2021-02-28 03:54:44 Author: infosecwriteups.com(查看原文) 阅读量:275 收藏

Saajan Bhujel

Hi everyone,

I am Saajan Bhujel.

Student of Bachelor of Commerce(B.Com) and also I am a Bug Bounty Hunter.

Image for post

This is my 1st blog, if you find any spelling mistakes, so please bear with it for the next few minutes. And this blog is about a vulnerability that, I was able to find in the Hackerone’s private program which allows me to take over any user’s account. But before starting this blog I would like to give a piece of small basic information about Host header.

What is the HTTP Host header?

The HTTP Host header is a mandatory request header as of HTTP/1.1. It specifies the domain name that the user wants to access.

For example, if a user visits https://example.com, then their browser will make a request containing a Host Header as below:

GET / HTTP/1.1

Host: example.com

Now let’s start the blog….

Image for post

Some days ago I got a notification in Hackerone that said that I had been invited into a private program. So I accept that invitation and start hunting on that Private Program. And in the starting of hunting on that private program, I spend 5–6 days finding Cross-Site-Scripting(XSS), IDOR, SQL injection, Flaw on the login page, Information Disclosure, and Subdomain takeover but still, I was not able to find anything.

Image for post

After taking some hours of break, again I start hunting on that domain but this time I got an interesting functionality which I did not saw at last time. And that interesting functionality is Password Reset functionality. So I thought to myself let's play with this Password Reset functionality.

Image for post

I can’t disclose the name of the target because it's a private program. So, Let’s suppose that the target is site.com. And their password reset functionality is something like this:

Image for post

And I noticed that whenever we enter our email and click on reset password. we got an email for changing the password with a password reset token link.

Password Reset Token link looks like this:

https://site.com/action-token?key=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzZWM2ODU2Z

This time I decided to intercept the password reset request and I also started my ngrok server.

The original request is something that looks like this:

Image for post

Then I added another header “X-Forwarded-Host” with my ngrok server domain in the original request. So now the modified request is something that looks like this:

Image for post

Now this time I got an email for changing the password but with my ngrok server domain. And the password reset token link looks like this:

https://95saf4ct71g.ngrok.io/action-token?key=wia2lkIiA6ICciOiJIUzI1NiIsInR5cCIgODU2ZeyJhbGiAiSldUIiIzZWM2O

You also can see, I am successfully able to change the Host by simply adding the header “X-Forwarded-Host” in the password reset request.

Then I noticed that If I enter the victim’s email in the password reset page and also intercept that request and if I add another header “X-Forwarded-Host” with my malicious domain. Then victim will get an email of the password reset token link with my malicious domain. And when the victim clicks on that link he will redirect to my website and his all token will leak to me. Then I can change the victim’s password by using his leaked token. Yeah, the Impact of this vulnerability is a full account takeover.

So now I can fully take over anyone’s account who has an account on site.com by resetting their password.

Image for post

So without wasting any time, I successfully submitted this vulnerability with full proof of concept and then, Hackerone’s private program rewarded me with $1000.

Image for post

Thank you for reading this blog, and I hope you learn something.

Enjoy your day!….

Image for post


文章来源: https://infosecwriteups.com/password-reset-token-leak-via-x-forwarded-host-4ed3e33dca31?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh