How I was able to take over any users account with host header injection

This article is about a vulnerability I was able to find in the BugCrowd private program.

At around midnight I got an alert message that said that I had been invited to pentest a new private program. Taking in regard the scope and reward range of the web application, I thought I would give it a try. However, it was midnight and I did not come across any vulnerabilities and it was quite late so I decided to go to sleep.

The next day was like every other with running important errands but I had some free time before office, so I decided to have a look and do some research about that new private program as of the night before.

Since I was already familiar with the web application working methodology, I tested for IDOR’s but I did not have much luck with it at that time. Also, if I had found any IDOR then the severity category would not have gotten any high severity vulnerability in a way because they were using MongoDB default encrypted ID which is hard to decrypt. However, I thought there might be some loopholes where they might have leaked their userId.

As I moved on, I found few stored XSS but I was very sure that I would get response of duplicate of those vulnerabilities but still, I reported these vulnerabilities and as I had thought got the response of them as duplicate.

Moving further in pentest I got a vulnerability where I was able to steal other user’s passwords reset token or…