This article is based on how I found reset_token leaked bug on an Ecommerce website which allowed me to get full access to the user's account. Let's assume this Ecommerce website is redacted.com
Few days ago, I visit on redacted.com to buy something online but suddenly realize I forgot my password for sign in. So I go to forgot password page and enter my email, within 5 seconds I got an mail with reset password link. Happily I reset my password and complete my purchasing.
During this process my proxy is on, all request & responses are captured. This open's my hacker mind and think to do some hacking stuff and I start testing forgot password functionality of redacted.com. I tested around one and half hour but din't get much.
Suddenly I noticed that I could set the host header to any subdomain of redacted.com, which would be reflected in the email. However, changing the domain of redacted.com would return an error and not send an email.
At first, this seemed relatively secure. I couldn't find a way to inject my own domain — sure, I could add a random subdomain of redacted.com, but all of these redirected to the proper page.
I then started testing for special characters. After a few tries, I got gold: the server would accept a question mark in the header, so I could follow my domain with a question mark to make that the base url:
This allowed me to steal any user's password reset token from the email and the email come to my mail is like:
Well I found this exploit idea from one of the disclosed report of bug bounty program.
Never trust Host header for sending forgot password emails or shouldn't be trusting it for anything else, either. And If you did, whitelist the subdomains and escape the special characters from host header. Best idea is to store the host as a server-side variable.