Web Application Security Assessment using Burp Community Edition | Part — 3| Audit Guidelines | High Impact Web Vulnerability

Account Takeover via Forgot Password — A Practical Attack Scenario of Host Header Injection

What is Host Header?

The Host request header specifies the host and port number of the server to which the request is being sent. By the default port for the service requested (e.g., 443 for an HTTPS URL, and 80 for an HTTP URL) is implied.

A Host header field must be sent in all HTTP/1.1 request messages. A 400 (Bad Request) status code may be sent to any HTTP/1.1 request message that lacks a Host header field or that contains more than one.

Audit Guideline

1. Capture the change password request in the burp community and send the request to the repeater.
2. Add one more Host Header with custom domain as value in the request and send the request.
3. Observe the victim will get the password reset mail having link with custom domain and the token. Once the victim click on the link, the attacker will get the link in his web logs.

Proof of Concept

Original Reset Password link mail

Modified reset link request

Reset password link mail with attacker provided domain

Reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host