P2-Token Leakage Via Host Header Poisoning (Weak password Reset Implementation)

Vulnerability Category: A3- Sensitive Data Exposure

Vulnerability Description: Most of web application security vulnerabilities, leverage user input in ways that were not initially intended by their developer(s). Password Reset Poisoning is one such vulnerability, that leverages commonly unthought of headers, such as the Host header seen in an HTTP request.

GET https://redacted.com/reset.php?email=foo@bar.com HTTP/1.1

Host: evilhost.com

Impact: A malicious user can take control of a particular individual’s account. By leveraging Password Reset Poisoning.

Severity : High

CVSS v3.0 Score: 8.3

CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

Recommendation:

· Validate the headers that supplied into the requests

· Also use multi-factor authentication to prevent account hijacking , and one such method is SMS Authentication.

How to Test:

1) Click on reset the password on https://www.redacted.com/

2) Intercept the application request in Burpsuite

3) Change the Host field to www.evilsite.com

4) If step 3 doesn’t work out then add a new header X-Forwarded-Host: evil.com in the request.

5) The user will get a link like http://evil.com/reset_password/token if he clicks on it , the attacker receive the rest password token and hijack the user account