photo lineviral_1.png
» » » Targeting Websites Alongside Password Reset Poisoning
,

Targeting Websites Alongside Password Reset Poisoning

Most of spider web application safety vulnerabilities, leverage user input inwards ways that were non initially intended past times their developer(s). Password Reset Poisoning is i such vulnerability, that leverages usually unthought of headers, such equally the Host header seen inwards an HTTP request:


GET https://example.com/reset.php?email=foo@bar.com HTTP/1.1
Host: evilhost.com

Notice the deviation where nosotros specify the host inwards the URL (example.com) too a different, malicious host, inwards the Host header (evilhost.com).Most of spider web application safety vulnerabilities Targeting websites amongst Password Reset Poisoning


Example – Password Reset(s)


One mutual functionality inwards virtually spider web applications, is the mightiness to reset your password. Requesting to produce hence may sometimes demand sending an electronic mail to your inbox amongst a URL embedding inwards a special one-time token to click on. The i fourth dimension token is at that topographic point to permit the user to prepare a novel password without having to specify the quondam (current) one.


Part of edifice that URL, is deciding what the domain should be, which inwards PHP may facial expression something along the lines of:


$resetPasswordURL = “https://{$_SERVER[‘HTTP_HOST’]}/reset-password.php?token=12345678-1234-1234-1234-12345678901”;

This is hence injected into an electronic mail template too sent to the user equally expected. From the Developer’s perspective, he is e'er expecting $_SERVER[“HTTP_HOST”] to locomote example.com hence would rarely perform whatever additional sanity checks on the input.


Targeted Attack


As a malicious actor, y'all desire to cause got command of a item individual’s account. By leveraging Password Reset Poisoning, y'all can:





    1. Obtain the target’s electronic mail address used on the site.

      This is sometimes done via:a) Social Engineering attacks (Phishing, Smishing etc.)

      b) OSINT (Open-source Intelligence)

      c) Mining quondam information breaches for the user’s information.

    2. Send a Password Reset asking on behalf of the target scoped inwards footstep one, amongst the modified Host header similar so:
      POST https://example.com/reset.php HTTP/1.1
      Accept: */*
      Content-Type: application/json
      Host: evilhost.com

      {“email”: “target@company.com”}

      Which if nosotros cry dorsum to the previous code, volition string interpolate the reset password URL to (for example):


      https://evilhost.com/reset-password.php?token=12345678-1234-1234-1234-12345678901


    3. Wait for the target to have the manipulated electronic mail such equally the following: These emails would facial expression alone secure to the user, peculiarly if the link is hidden behind unopen to push or image. Primarily due to the fact that the electronic mail is truly sent past times the right application too non the evil host.

    4. The victim’s password reset token is extracted i time the link is clicked. At this point, the assault tin become a footstep farther past times cloning the site to larn into seem equally though the user is accessing the right one. This is by too large done inwards i of 2 ways:

      a) The aggressor clones component of the application (e.g. login page) too presents that to the user i time they cause got clicked the link.

      b) The attacker’s site (evilhost.com) acts equally a proxy to the existent site whereby the direct too the contents would locomote identical to the master copy site, making everything facial expression seamless to the end-user. This is the virtually convincing method.




Remediation


From a evolution perspective, produce non trust the Host header, or whatever input header for that matter. Instead, the application’s base of operations URL should locomote determined past times unopen to configuration depending on the environment. H5N1 practiced event is a config.ini file such as:


[GLOBAL]
DB_URL=mysql://
DB_USER=root
DB_PASS=toor

[APPLICATION]
BASE_URL=example.com

This tin hence locomote string interpolated safely equally a constant inwards the previous code. Assume at that topographic point is unopen to utility business office get_config(section, entry):


$resetPasswordURL = “https://” . get_config(‘APPLICATION’, ‘BASE_URL’) . ”/reset-password.php?token=12345678-1234-1234-1234-12345678901”;

Additionally, equally an application developer, y'all should back upward too highly incentivize Multi-Factor Authentication to avoid malicious actors hijacking accounts amongst password reset tokens alone. Ideally also avoiding 2FA methods such equally SMS Authentication.


Conclusion


Password Reset Poisoning is i of those attacks that look real piddling too are real much on the practical side rather than the theoretical, ofttimes used equally low-hanging fruit inwards Bug Bounty Programs.


That said, they are real slow to secure against too easily illustrate why y'all should e'er locomote cautious of whatever possible shape of user input. This is peculiarly truthful when developers brand usage of web application safety scanners to automatically give away such vulnerabilities. Acunetix volition non precisely examine the Host header for Password Reset poisoning, it volition also examine for a slew of other Host Header attacks to assist y'all to fully secure your spider web application(s).


Source link


Buat lebih berguna, kongsi:
close