Hey guys! How are you? This is UNIBIC and I hope you are spending time learning a lot of good things in this pandemic :) If not then I will try to contribute to your learning by presenting this write-up in front of you.
So the story’s about how I chained two simple vulnerabilities to create a bigger impact. Let’s assume the target domain as:-
“sellers.unibic.xyz”
1. PII Leak:-
While I was playing with the reset password functionality, a notification popped up on my screen containing the reset link.
After opening the URL it redirected me to “https://sellers.unibic.xyz/user/reset/2631/1612634868/reset-token” and the website interface looked something like this:-
So, I started changing the “user_id” in the URL which is (2631) here. When I changed it to (1), I got the administrator’s email on the interface. I tried changing his password by clicking login but it showed me 403 forbidden error. Further, I thought to use Burp’s Intruder to fetch all the emails of the sellers in the response.
2. Password Reset Poisoning:-
Now let us move to our second phase where we will learn about password reset poisoning via host header injection. When we have to reset our password we visit the /forgot-password page then enters our email, and click submit.
In this case /forgot-password is referred to as /user/password, so we will be going to the URL “https://sellers.unibic.xyz/user/password” and gonna enter our email but before clicking submit we will intercept the request like this:-
After capturing the request we will change the “HOST Header” which is “sellers.unibic.xyz” to “attacker.com” and send the request forward.
Now, can you guess the reset link sent by the website in our inbox? Yes, you are correct my friend! It's:-
“https://attacker.com/user/reset/1/1612644740/reset-token”
We have successfully replaced the legitimate host with a malicious host, which is already logging each request coming towards it. So, whenever we will click the received link, a request will be sent to the website (attacker.com) with the “reset-token” at the end of the URL which can be stolen easily. Thus, there is a high risk of account takeover.
3. Chaining both the attacks:-
Let's sum up what we have found and collected till now. We have all the seller emails and an easy trick to send them a malicious password-reset link.
For resetting the password we only need the email of victims which we have, now one by one we can send each of them a malicious password reset link by just changing the host header, which can cause precise and perfectly targeted phishing and spamming attack :)
