Professional Documents
Culture Documents
Vulnerable page
https://itp.tarc.edu.my/
Summary
Host Header Injection on Password Reset Functionality that lead to 1 Click Account Takeover.
Steps to Reproduce
The HTTP Host header is a mandatory request header as of HTTP/1.1. It specifies the domain name
that the client wants to access. For example, when a user visits https://google.com/web-
security , their browser will compose a request containing a Host header as follows:
I realized that changing the value of Host Header while doing password reset on vulnerable page will
result in getting a password reset link with modified domain value.
Which means that attacker can redirect the victim to malicious domain by controling the Host Header
value while doing password reset on victim, with prerequisite that victim click on the link. Since the
password reset link contains password reset token, attacker could achieve Account Takeover by
resetting the victim password.
5. When clicking on the malicious password reset link, you are basically request to the malicious
domain with password reset token, attacker controlled domain will then receive the request and
obtain the password reset to achieve Account Takeover.
Additional Information
To make the malicious domain more alike and promising, attacker could register a domain that similar
to real TARC domain.
Supporting Materials
https://medium.com/@tameemkhalid786/host-header-injection-on-password-reset-functionality-an-
easy-p2-5c6263c2e3d4
https://hackerone.com/reports/226659
https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning
https://portswigger.net/web-security/host-header
Impact
Account Takeover