#7. Bug Bounty Series: Password Reset Poisoning Attack

Hello👋 and welcome, fellow cyber explorers!. Today, I’m excited to talk about a sneaky type of attack known as password reset poisoning. We’ll break down how these attacks work and what you can do to protect yourself. Let’s dive in and learn more about this important topic together!

Description:

Host Header Injection is a vulnerability in which an attacker manipulates the Host header and cause the application to behave in unexpected ways. Header simply specifies which web site should process the HTTP request. In short if any malicious user is able to handle this header to their desired domain and if server is not validating it then it leads to host header injection.

Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into generating a password reset link pointing to a domain under their control. This behavior can be leveraged to steal the secret tokens required to reset arbitrary users’ passwords and, ultimately, compromise their accounts.

Impacts of Host Header Injection:

• Account Takeover: Attackers can manipulate password reset links to gain unauthorized access to user accounts.
• Phishing Risk: Redirected links can lead to fake login pages, allowing attackers to steal credentials.
• Sensitive Data Exposure: Compromised accounts may expose personal or confidential information.
• Session Hijacking: Attackers can intercept password reset links to hijack active sessions.
• Reputational and Legal Consequences: Breaches can damage trust and lead to penalties under data protection laws.

Now let’s get to the main point….

While testing a CRM portal let’s say www.example.com, I found a misconfiguration in the password reset feature. I tried several methods, for testing like rate limiting, SQLi etc., but nothing seemed to work. Finally, I experimented with changing the HOST header, and that’s when I got results — successfully exploiting the issue.

Steps to Reproduce:

1. Visit the forgot password page and add the email address(I have used Temp mail).

https://www.example.com/password/reset

2. Intercept the request using BurpSuite and Send the request to Repeater.

3. Change the Host to www.evil.com and click on send request.

4. We can see the status code is 302 Found and the redirection is occurred.

5. Now go to the inbox and check the reset password link. We can see that the reset link contains the www.evil.com host which we changed in the repeater.

6. I reported the vulnerability and I received reply from program that they are accepting the bug and will let me know once fixed and I’m eligible for the bounty.

Many developers don’t realize that users can change the HTTP host header. For security, user input should never be trusted without checks. So, developers need to see host header risks as a serious threat and use measures to protect against them.

Mitigations:

• Implement strict validation of the host header. This involves configuring the application to accept only known and valid host headers
• If the inclusion of the current domain is necessary, then it should be specified in a custom configuration file in the server-side code, and should not depend upon the host header.
• Disable the support of Host override headers like X-Forwarded-Host, X-Forwarded-For, etc.
• Generate unique, time-sensitive tokens for password resets that are difficult to guess and expire after a short period.
• Implement MFA.

So, that’s it for now and thanks for reading and I appreciate you taking the time to read. For other such writeups do visit the writeups.

If you found it useful, please click the button 👏and share it with others who have similar interests! + Feedback is always appreciated!!😊