P2-Token Leakage Via Host Header Poisoning (Weak password Reset Implementation)
Vulnerability Category: A3- Sensitive Data Exposure
Vulnerability Description: Most of web application security vulnerabilities, leverage user input in ways that were not initially intended by their developer(s). Password Reset Poisoning is one such vulnerability, that leverages commonly unthought of headers, such as the Host
header seen in an HTTP request.
GET https://redacted.com/reset.php?email=foo@bar.com HTTP/1.1
Host: evilhost.com
Impact: A malicious user can take control of a particular individual’s account. By leveraging Password Reset Poisoning.
Severity : High
CVSS v3.0 Score: 8.3
CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Recommendation:
· Validate the headers that supplied into the requests
· Also use multi-factor authentication to prevent account hijacking , and one such method is SMS Authentication.
How to Test:
1) Click on reset the password on https://www.redacted.com/
2) Intercept the application request in Burpsuite
3) Change the Host field to www.evilsite.com
4) If step 3 doesn’t work out then add a new header X-Forwarded-Host: evil.com in the request.
5) The user will get a link like http://evil.com/reset_password/token if he clicks on it , the attacker receive the rest password token and hijack the user account