Host Header Injection Leads To Pre-Account Takeover Worth 100$

Self Introduction :

Hello, I am Rupachandran S, I am a Third Year Integrated Five year-Master of Computer Science with a Specialization in Business Analytics student at Vellore Institute Of Technology-Chennai. I am here to share my finding on Host Header Injection Leads To Pre-Account Takeover.

What Is Host Header Injection :

Host-Header Injection is a vulnerability where a remote attacker or hacker can exploit an HTTP Host header sent by sending a fake host instead of the original.

According to Tenable “When creating URI for links in web applications, developers often resort to the HTTP Host header available in HTTP request sent by client-side. A remote attacker can exploit this by sending a fake header with a domain name under his control allowing him to poison the web cache or Add(Invite) user emails.

HTTP Host header vulnerabilities typically arise due to the flawed assumption that the header is not user-controllable. This creates implicit trust in the Host header and results in inadequate validation or escaping of its value, even though an attacker can easily modify this using tools like Burp Proxy.

Even if the Host header itself is handled more securely, depending on the configuration of the servers that deal with incoming requests, the Host can potentially be overridden by injecting other headers. Sometimes website owners are unaware that these headers are supported by default and, as a result, they may not be treated with the same level of scrutiny.

The Tool I Used For This Finding :

Burpsuite

This is How I used this for Pre-Account Takeover:

A general implementation of Invite user functionality is to generate a secret token and send an email to the Email address account holder with a link containing this secret token. What happens if an attacker requests an invitation to the victim with an attacker-controlled host header?

Here When the attacker uses the victim’s invitation token which the attacker received in his controlled domain.

The Add User functionality creates a new user and sends an e-mail invite. Using this flaw, an attacker could also trick a user into giving their preexisting account credentials

Step one is the “Set Password” Functionality. If the attacker completes setting the password for the victim’s account.

It's a Clear Pre-Account Takeover.

Steps to Reproduce:

  1. Navigate to accounts.test.target.com/users/add and Enter the Victim’s Email address and Random First name and Last name to get the Invitation Link.

2. Capture this request using the Burp suite and send the request to Repeater.

3. Add Host: evil.com instead of Host: accounts.test.target.com in the Repeater Request.

4. Then Click Go and Check the Response.

5. After this, check your(victim’s) email. You got an email of Invitation(Add) user with the token. Which looks Like

evil.com/login?resetpassword&username=b..

When an attacker opens the link by inserting subdomain and domain name as accounts.test.target.com instead of evil.com with same paramters and token value BOOM It Works!!!

The Set Password page appears

You can also use These Host headers For similar findings:

X-Forwarded-For: evil.com

X-Forwarded-Host: evil.com

X-Forwarded-Proto headers: evil.com

X-Host: evil.com

X-Forwarded-Server: evil.com

Thanks, Regards

Have a great day :)

Rupachandran S

Available On :-

INSTAGRAM: https://www.instagram.com/gokulrupachandran/

TWITTER: https://twitter.com/RupachandranS

LINKEDIN:https://www.linkedin.com/in/rupachandrans