This blog is all about Cyber Security and IT

Showing posts with label Host Header attack. Show all posts
Showing posts with label Host Header attack. Show all posts

Wednesday, April 22, 2020

Password Reset link hijacking via Host Header Poisoning


This vulnerability raised when a website uses the Host header when sending out password reset links. This allows an attacker to insert a malicious host header, leading to password reset link / token leakage.

Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP or in another languages

There are two main ways to exploit this trust in regular web applications. 

The first approach is web-cache poisoning; manipulating caching systems into storing a page generated with a malicious Host and serving it to others.
The second technique abuses alternative channels like password reset emails where the poisoned content is delivered directly to the target.

Impact

The victim will receive the malicious link in their email, and, when clicked, will leak the user's password reset link / token to the attacker, leading to full account takeover.

Example for more understanding

1.) Open up Firefox and Burp Suite.)
2.) Visit the forgot password page (/index.php/login/concrete/forgot_password)
3.) Enter the victim's email address and click Reset and Email Password
4.) Intercept the HTTP request in Burp Suite & change the Host Header to your malicious site / server.
5.) Forward the request and you'll be redirected to your server.
The victim will then receive a password reset e-mail with your poisoned link.


If the victim clicks the link, the reset token will be leaked and the attacker will be able to find the reset token in the server logs. The attacker can then browse to the reset page with the token and change the password of the victim account!


Remediation

Use $_SERVER['SERVER_NAME'] rather than $_SERVER['HTTP_HOST']

Host Header attack


 In simple terms if a website x.com is requested and when i change the host to y.com , if I am able to open the host . Than it is a host header attack.

Vulnerability Description: 

Open Redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting.

How to find this Vulnerability 

1. Change host to x.com, Than click on go . If  not able to success . than try below method.
2. Change host to x.com and Set X-Forwarded-Host to original domain.com, if still unable to get success , try the below one
3. Do the opposite to step two , Means change host to original domain.com and Set X-Forwarded-Host to original x.com

If you are unable to find success with the above written steps , Than may be the website is secured for this vulnerability.

Remediation:

If possible, the application should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:

Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.

Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.


Example of a Bug Reported:

Vulnerable URL:
https://wakatime.com/settings/account?apikeyrefresh=true
Payload: " X-Forwarded-Host: bing.com "
How to reproduce this vulnerability:
  1. Open this URL " https://wakatime.com/settings/account?apikeyrefresh=true " and send it to the repeater in burp suite.
  2. add the payload to the header request and forward the request.
  3. It will directly redirect to bing.com

Impact

Impact:
Whenever a user visits this URL, it will redirect them to site.com. It is used in phishing attacks.