Password Reset Link poisoning via host header injection

3 min readSep 5

Hello everyone, Recently, I discovered instances of account takeover resulting from password reset manipulation at both Cambridge and Drexel University. Regarding Drexel, I was so much excited to know that my fourth security issue discovery was acknowledged, following the resolution of three duplicate Cross-site scripting vulnerabilities.

Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into generating a password reset link pointing to a domain under their control. This behavior can be leveraged to steal the secret tokens required to reset arbitrary users’ passwords and, ultimately, compromise their accounts.

Working Mechanism

Generally, Users request the password reset link and uses it to change the password.

Attack scenario

An attacker having active domain www.attacker.com, request password reset link for victim by inputting victims email address i.e victim@gmail.com. Then the password reset link is received by the victim. The normal password reset link received by victim should be like the following:

http://example.com/resetpassword?userid=123&token=efghId

But attacker manipulates the request so that the victim gets the password link like the following:

http://www.attacker.com/account/resetpassword?userid=123&token=efghId

Now, when the victim clicks on the link, the userid along with the token is logged into the www.attacker.com which can be used by attacker to create new password and log into the victim’s account.

Generate crafted password reset request

Intercept the password reset request in Burp Suite
Change the host to www.attacker.com

Host: example.com — — — — — → Host: www.attacker.com

If a web is vulnerable the inputted host is reflected in the password reset link

3. Send the request and observe the mail. The inputted host header i.e www.attacker.com may reflect in the password reset link as following:

Impact

An attacker can easily take over the victim account.

Preventive measure

Implement MFA for password resets, use unique reset tokens, and employ email verification.
Users should ignore and report the unrequested password reset to an organization immediately

Written by Kushal Shrestha

78 Followers

Life-Long Learner

More from Kushal Shrestha

LFI using Automation tool and Google Dorking

Kushal Shrestha

LFI using Automation tool and Google Dorking

Hello everyone, This blog is about how I found LFI in domains using automation tools and google dorking, Let’s kick off.

3 min readJul 2

Kushal Shrestha

United Nations Hall of Fame (XSS)

Hello everyone, This is my first writeup about security finding (cross site scripting) in the uneca.org which helped me to be enlisted in…

2 min readJun 25

Kushal Shrestha

Interesting XSS in dutch website

Some months ago, I found an XSS vulnerability in one of the dutch website. It was a bit interesting for me and I really enjoyed researching…

3 min readSep 19

Kushal Shrestha

XSS Vulnerability in Stanford

Hello Everyone, During a recent security assessment of Stanford University’s domains, I uncovered two XSS vulnerabilities.

2 min readSep 19

See all from Kushal Shrestha

Recommended from Medium

Mr.Horbio

How to Find First Bug (For Beginners)

As a beginner, you try to find bugs in many websites but still you got nothing. You got Demotivation during bug hunting ,Don’t worry when…

3 min readNov 24

Ott3rly
in
InfoSec Write-ups

Mass Hunting XSS vulnerabilities

In this article, I would like to cover how it is possible to efficiently check thousands of endpoints for potential Cross Site Scripting…

6 min readNov 22

Lists

Staff Picks

518 stories480 saves

Stories to Help You Level-Up at Work

19 stories332 saves

Self-Improvement 101

20 stories968 saves

Productivity 101

20 stories876 saves

#!/Subhankar
in
CodingNinjaBlogs

Host Header Injection lead to Hall of Fame

Intro : Hello Hackers! What’s Up. Welcome to my New Article. Here I will discuss about Host Header Injection that takes me to Hall of Fame…

2 min readNov 7

Bonus — My $3000 request smuggling report

Abhijit Dutta

Bonus — My $3000 request smuggling report

Hi everyone, today I want to share one of my request smuggling report which I performed and how I managed to do that on one of the bug…

3 min readOct 18

Account takeover hidden in Javascript files.

Omar Ahmed

Account takeover hidden in Javascript files.

Hey guys, I’m here to share a broken access control bug I found on a private program on h1 which enabled me to take over any account with…

3 min readJul 4

My First IDOR - Hiding in the Header Request

Benja (bronxi)

My First IDOR - Hiding in the Header Request

In the midst of a busy schedule, the little time I dedicate to bug hunting brings immense joy, especially when I stumble upon something…

2 min readNov 21

See more recommendations

Help
Status
About
Careers
Blog
Privacy
Terms
Text to speech
Teams