Recently I was Pentesting a private program The web app was built on “Ruby on Rails”, I was testing it’s ‘forgot password’ functionality, of course, why not?
I was surprised when I saw that the endpoint was vulnerable to Host-Header Injection so, here are the steps of how I was able to exploit it. First I fired up python local server running on port 8080 along with ngrok on port 80
I fired up my burp and firefox typed the URL again to capture the request for further testing. I typed my email in the forgot password form, when I intercept the request first I tried every header like
I tried every header and the one which worked for me here was
Got confirmation about the email has been sent to my email
Original Host replaced by the evil host (ngrok/mine host). Now victims click the link and I GET a request with the password token of the user