Hello Everyone (Ram Ram Ji),
This article is about an account takeover bug via host header poisoning. Redacted.com was vulnerable to host header injection in which remote attackers can exploit it to takeover any account of redacted.com.
As an attacker, I modified the POST request in which first I change the value of the Host header to evil.com but nothing happened then I add the X-Forwarded-Host header with evil.com value again nothing happened. It was my third attempt now, this time I changed the value of the Referrer header too and put the same value as the X-Forwarded-Host header value and it got worked for me.
Request was looked like:
POST /forgot HTTP/1.1
After sending the request I got email with host as evil.com looks like:
Step to Reproduce (Acc. to Report):
- Navigate to “https://redacted.com/forgot".
- Then enter your username & intercept that request with the help of Burp Suite.
- Now add these two headers into the POST request:
4. Now forward that request and check your email that is linked with your username.
June 26, 2019 — Reported to private program
August 01, 2019 — Report Triaged
August 08, 2019 — Bounty of $2000 USD awarded
October 24, 2019 — Vulnerability fixed
Special thanks to nullr3x (Big Bad Brother 🤑 )