Scribd Logo
Upload

Welcome to Scribd!

  • Account Take Over Report PDF

    Uploaded by

    叶佩丽
    14 views3 pages
    This document describes a host header poisoning vulnerability that allows attackers to achieve account takeover through password reset functionality. By modifying the host header value when requesting a password reset link, an attacker can redirect the password reset to a domain they control. If the victim then clicks the malicious link, the attacker obtains the password reset token and can take over the account. The document provides steps to reproduce this vulnerability, including changing the host header value when intercepting the password reset request.

    Original Description:

    Original Title

    Account Take Over Report.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document describes a host header poisoning vulnerability that allows attackers to achieve account takeover through password reset functionality. By modifying the host header value when requesting a password reset link, an attacker can redirect the password reset to a domain they control. If the victim then clicks the malicious link, the attacker obtains the password reset token and can take over the account. The document provides steps to reproduce this vulnerability, including changing the host header value when intercepting the password reset request.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views3 pages

    Account Take Over Report PDF

    Uploaded by

    叶佩丽
    This document describes a host header poisoning vulnerability that allows attackers to achieve account takeover through password reset functionality. By modifying the host header value when requesting a password reset link, an attacker can redirect the password reset to a domain they control. If the victim then clicks the malicious link, the attacker obtains the password reset token and can take over the account. The document provides steps to reproduce this vulnerability, including changing the host header value when intercepting the password reset request.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Host Header Poisoning On Password Reset Functionality

    Vulnerable page

    https://itp.tarc.edu.my/

    Summary

    Host Header Injection on Password Reset Functionality that lead to 1 Click Account Takeover.

    Steps to Reproduce

    The HTTP Host header is a mandatory request header as of HTTP/1.1. It specifies the domain name
    that the client wants to access. For example, when a user visits https://google.com/web-
    security , their browser will compose a request containing a Host header as follows:

    GET /web-security HTTP/1.1


    Host: google.com

    I realized that changing the value of Host Header while doing password reset on vulnerable page will
    result in getting a password reset link with modified domain value.

    Which means that attacker can redirect the victim to malicious domain by controling the Host Header
    value while doing password reset on victim, with prerequisite that victim click on the link. Since the
    password reset link contains password reset token, attacker could achieve Account Takeover by
    resetting the victim password.

    1. Browse to the vulnerable page: https://itp.tarc.edu.my/forgot-password


    2. Insert the victim email (Must be valid user email), click SEND PASSWORD RESET LINK and intercept
    the request with Burp suite:
    3. Change the host header value with attacker controlled domain (You can use temporary hostname
    provided by https://requestbin.com):
    4. Send the request and you will receive a password reset link in victim email.

    5. When clicking on the malicious password reset link, you are basically request to the malicious
    domain with password reset token, attacker controlled domain will then receive the request and
    obtain the password reset to achieve Account Takeover.

    Additional Information

    To make the malicious domain more alike and promising, attacker could register a domain that similar
    to real TARC domain.

    Supporting Materials

    https://medium.com/@tameemkhalid786/host-header-injection-on-password-reset-functionality-an-
    easy-p2-5c6263c2e3d4
    https://hackerone.com/reports/226659
    https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning
    https://portswigger.net/web-security/host-header

    Impact
    Account Takeover

    You might also like