Host Header Injection To Account Takeover || How I have found and earned $$$$ with POC image
Hello Friends,My name is Ranjeet Singh and today I am going to explain what is host header injection, how you can find it and how I have find host header injection and able to takeover any account and earned $$$$
What Is Host Header Injection :
HTTP Host header attacks occurs when websites that handle the value of the Host header in an unsafe way. If the server implicitly trusts the Host header, and fails to validate or escape it properly, an attacker may be able to use this input to inject harmful payloads that manipulate server-side behavior. Attacks that involve injecting a payload directly into the Host header are often known as “Host header injection” attacks.
How this can be used to takeover accounts :
A common way to implement password reset functionality is to generate a secret token and send an email with a link containing this token. What could happen if an attacker requests a password reset with an attacker-controlled host header?
If the web application makes use of the host header value when composing the reset link, an attacker can poison the password reset link that is sent to a victim. If the victim clicks on the poisoned reset link in the email, the attacker will obtain the password reset token and can go ahead and reset the victim’s password.
So, I was testing one private site and lets call that domain as : <redacted>.com
I never test for host header injections because rarely you can find this type of vulnerability.So, I have stopped testing but after watching one of my friends tweet that he has earned using this vulnerability again I started hunting for this vulnerability and added into my checklist.
Steps was very simple to reproduce this vulnerability.First signup and verify your account.Then visit to password reset page and add one by one this headers :
X-Forwarded-For: attacker.com
X-Forwarded-Host: attacker.com
X-Forwarded-Proto headers: attacker.com
Host: attacker.com (duplicate this header)
X-Host: attacker.com
X-Forwarded-Server: attacker.com
X-HTTP-Host-Override: attacker.com
Forwarded: attacker.com
And if you are lucky enough then in password reset token your controlled domain will be mentioned.
I have just added X-Forwarded-Host header and see this poc image my controlled domain was mentioned in password reset link.And if victim will visit this link I will receive password reset token and then I can reset password of victim.You can use ngrok too for exploitation.
So at last I would like to say that be motivated and test everything from low t critical vulnerability may be you will find something interesting.If I have done any mistake/forgot anything then please notify me I will correct it.
TWTTER ID : https://twitter.com/geekboyranjeet
INSTAGRAM ID : https://www.instagram.com/geekb0yranjeet/
Thank You
