SSRF to a Full Account Takeover (ATO)
Hello hackers!! today, I will be showing you how I performed an SSRF and Account Takeover attack, using host header injection. Let's get right to it š. NB: Due to an NDA, I will not be able to disclose the name of the program.
But wait a second! What is an SSRF??
In computer security, server-side request forgery (SSRF) is a type of exploit where an attacker abuses the functionality of a server, causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker. ā Wikipedia. It is important to note that, as hard as it may be to find it in the wild, SSRF remains a much-sought-after bug amongst hackers.
The Attack
After a deep dive into the various functionalities of the app, I struck gold in the password reset functionality, when I realised that the Host header of the POST request was vulnerable to SSRF. How did I know this? I replaced the address in the Host header with the address generated by burp collaborator and got the IP of the applicationās server in the HTTP callback. Furthermore, I was able to enumerate the internal ports of the server based on response time. Beyond that, attacks like RCE weren't possible.
Now to raise the impact of the bug. I fired up my Ngork server, created a test account ( letās call it the victim) for the proof-of-concept (POC) and initiated a password reset. Intercepting the POST request, I replaced the URL in the Host header with mine and forwarded the request (Figure 1).
The forwarded request resulted in the victim receiving a password reset email as seen in Figure 2.
In this attack, however, instead of the Password Reset page being opened after clicking the āReset Passwordā link, the URL token associated with the victim was rather sent to the attacker (me š ) see Figure 3.
With the URL token in my possession, a combination of the appās URL and the URL token resulted in me getting the victimās password reset page ā leading to a full account takeover.
NB: I hope that this write-up has done justice in demonstrating how misconfigurations and flawed business logic in host headers can be leveraged to perform high impact attacks like SSRF and in this case an Account Takeoverš.
As always, your feedback on this write-up will be very much appreciated.
Disclaimer: This write-up is for educational purposes only. I am in no way responsible for its misuse.
