Reset Password token leaked via host header

Reset Password token leaked via host header

Reset Password token leaked via host header

This article is based on how I found reset_token leaked bug on an Ecommerce website which allowed me to get full access to the user's account. Let's assume this Ecommerce website is redacted.com

How I find ?

Few days ago, I visit on redacted.com to buy something online but suddenly realize I forgot my password for sign in. So I go to forgot password page and enter my email, within 5 seconds I got an mail with reset password link. Happily I reset my password and complete my purchasing.

During this process my proxy is on, all request & responses are captured. This open's my hacker mind and think to do some hacking stuff and I start testing forgot password functionality of redacted.com. I tested around one and half hour but din't get much.

Suddenly I noticed that I could set the host header to any subdomain of redacted.com, which would be reflected in the email. However, changing the domain of redacted.com would return an error and not send an email.

At first, this seemed relatively secure. I couldn't find a way to inject my own domain — sure, I could add a random subdomain of redacted.com, but all of these redirected to the proper page.

I then started testing for special characters. After a few tries, I got gold: the server would accept a question mark in the header, so I could follow my domain with a question mark to make that the base url:

Host: attack.com?.redacted.com

This allowed me to steal any user's password reset token from the email and the email come to my mail is like:

https://attack.com?.redacted.com/reset/{email}/{reset_token}

Well I found this exploit idea from one of the disclosed report of bug bounty program.

How attacker's exploit it ?

  • Attacker identifies victim's email address.
  • The attacker modifies the host header of the request to reset the victim's password to their own domain.
  • Victim's recieve the modified reset link which sends the reset_token to the attacker.
  • Trusting the company, user click the reset link. As the link is formed with the host header, this instead links to the attacker's website. When the victim visits this site, their password reset token is sent to the attacker.
  • The attacker now resets the victim's password using their password reset token.

How to fix ?

Never trust Host header for sending forgot password emails or shouldn't be trusting it for anything else, either. And If you did, whitelist the subdomains and escape the special characters from host header. Best idea is to store the host as a server-side variable.

Want to Secure your enterprise?

We are determined to secure your enterprise completely. Enter your details and Let safehack secure your enterprise.

Get Updated with Latest Cyber Trends

Categories

Advanced Cyber Security With Us - Safehack