Account Takeover Chained to Host Header Injection

Hello Readers, Hope you all are doing well this Pandemic. And in this Lock Down of Work From Home you might have upgraded your skills. Lets adapt to this new normal and keep our family and loved ones Healthy and Safe.
I would like to share my Account takeover via Host Header injection attack methodology.

Host Header Attack:
Host header injection is very common attack found in most of the web application. Host header vulnerabilities typically arise due to the flawed assumption that the header is not user controllable. This creates implicit trust in the Host header and results in inadequate validation or escaping of its value, even though an attacker can easily modify it.

If possible, the application should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways: Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs. Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the re-director, pass an index into this list.

By using this attack, I was able to takeover any account because of improper host header implementation.

Steps To Reproduce:

Step 1: Navigate to the target URL forgot password function.
Step 2: Provide Username and click on Confirm tab.
Step 3: While Confirming capture the request.

Step 4: Add a new header below Host another Host as a Header.
Step 5: After adding new Host as a Header give your burpcollaborator client link to get a call back response.

Step 6: Check burpcollaborator I was able to get SMTP response in my client with password reset link of the user ID sushant004 and as well to the registered email ID.

Step 7: After clicking to the password rest link I was redirected to the new password page.

Step 8: Hence, Account was tookover using Host Header flaw.

Step 9: Quickly, I reported the issue to HackerOne.

As this Vulnerability was a Account Takeover via Host Header Injection severity was High P1.

This Vulnerability was Patched and Bounty will be released soon. 😎

Patching For Host Header Injection:

• Proper sanitation of input values.
• Proper verification of the request, whether it came from the original target host or not.
• Mitigate the Host header attack in Apache and Nginx by creating a dummy virtual host that catches all requests from unrecognised Host headers.
• Whitelist the trusted domains at the initial phase of the web application.
• Respective mapping of the domains that are received in the host header of each HTTP request with itself.
• Use secure server configuration.
• Disable the support for the X-Forwarded-Host header option.

For any difficulty you can ping me on bellow social media. Stay Safe.

You can Connect with me :-

Twitter :- https://twitter.com/imsushantkamble
Linkedin :- https://in.linkedin.com/in/iamsushantkamble
Facebook :- https://www.facebook.com/iamsushantkamble/

Kindly Give a Clap if you found this helpful and came across this kinda scenario.