Password Reset link hijacking via Host Header Poisoning
This vulnerability raised when a website uses the
Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP or in another languages
There are two main ways to exploit this trust in regular web applications.
The first approach is web-cache poisoning; manipulating caching systems into storing a page generated with a malicious Host and serving it to others.
The second technique abuses alternative channels like password reset emails where the poisoned content is delivered directly to the target.
2.) Visit the forgot password page
3.) Enter the victim's email address and click
4.) Intercept the HTTP request in Burp Suite & change the
5.) Forward the request and you'll be redirected to your server.
The victim will then receive a password reset e-mail with your poisoned link.
If the victim clicks the link, the reset token will be leaked and the attacker will be able to find the reset token in the server logs. The attacker can then browse to the reset page with the token and change the password of the victim account!
Host
header when sending out password
reset links. This allows an attacker to insert a malicious host header,
leading to password reset link / token leakage.Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP or in another languages
There are two main ways to exploit this trust in regular web applications.
The first approach is web-cache poisoning; manipulating caching systems into storing a page generated with a malicious Host and serving it to others.
The second technique abuses alternative channels like password reset emails where the poisoned content is delivered directly to the target.
Impact
The victim will receive the malicious link in their email, and, when clicked, will leak the user's password reset link / token to the attacker, leading to full account takeover.Example for more understanding
1.) Open up Firefox and Burp Suite.)2.) Visit the forgot password page
(/index.php/login/concrete/forgot_password)
3.) Enter the victim's email address and click
Reset and Email Password
4.) Intercept the HTTP request in Burp Suite & change the
Host
Header to your malicious site / server.5.) Forward the request and you'll be redirected to your server.
The victim will then receive a password reset e-mail with your poisoned link.
If the victim clicks the link, the reset token will be leaked and the attacker will be able to find the reset token in the server logs. The attacker can then browse to the reset page with the token and change the password of the victim account!
Remediation
Use$_SERVER['SERVER_NAME']
rather than $_SERVER['HTTP_HOST']