Pwn Them All #BugBounty

Bilal Khan
Sep 11 · 2 min read

Recently I was Pentesting a private program The web app was built on “Ruby on Rails”, I was testing it’s ‘forgot password’ functionality, of course, why not?

I was surprised when I saw that the endpoint was vulnerable to Host-Header Injection so, here are the steps of how I was able to exploit it. First I fired up python local server running on port 8080 along with ngrok on port 80

python server with ngrok

I fired up my burp and firefox typed the URL again to capture the request for further testing. I typed my email in the forgot password form, when I intercept the request first I tried every header like

X-Host: evil.com
X-Server: evil.com
X-Forwarded-For: evil.com
X-Forwarded-Host: evil.com
password reset form
captured request

I tried every header and the one which worked for me here was

```X-Forwarded-Host: evil.com```

confirmation

Got confirmation about the email has been sent to my email

the host changed to mine host

Original Host replaced by the evil host (ngrok/mine host). Now victims click the link and I GET a request with the password token of the user

victims click and code sent to my server

Bilal Khan

Written by

fullStack | Dev Ops | Django | Flask | Vuejs | Angularjs | Ionic | ML | AI | Security Researcher | Pentester | Bug Hunter | Tech Writer | Eat -> Code -> Sleep |

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade