Every web application that has a login portal also has a reset password functionality with it. This reset password functionality comes in very handy when the user forgets his password. Read on to know how attackers steal your credentials while resetting your password.
Password reset poisoning is an attack where the attacker gets hold of the password reset token of a victim and is now able to reset the victim’s password.
This issue is caused when the application relies on the host header to craft the password reset link and adds the user-provided host header in the password reset link.
Working of Password Reset Functionality
-
A legitimate user who has forgotten his password goes to the password reset page and enters his email id or username.
-
Then, the application checks whether the user is present in its database and creates a unique temporary token that is associated with the user’s account.
-
An email is sent to the user containing a link with the token attached as a parameter. This link can be used to reset the account’s password.
For the demonstration of the vulnerability, we’ll be using Portswigger’s Web Security Academy lab.
Vulnerable Application: Portswigger’s Web Security Academy lab
Attack Scenario: Wiener is an attacker, and he wants to hijack Carlos’s (victim) account.
Steps to Reproduce:
-
The application provides a login panel in which password reset functionality is present. We can abuse this functionality.
-
We also have our own exploit server, which can be used to get the victim’s token from the password reset functionality.
-
Enter the victim’s name in the password reset input field and click on submit.
-
Intercept this request in a proxy server like Burp.
-
Change the host header to the exploit server’s domain.
-
Now let the request pass by turning the intercept off. On the browser, it shows that the password reset link is sent in the mail.
-
As soon as the victim clicks on the link in his mail, our exploit server gets a request, and the reset token gets logged.
-
This token can now be used to reset the password of our victim Carlos and take over his account.
-
We have successfully taken over Carlos’s account.
Mitigation
-
Try to avoid the usage of the host header in the server-side code.
-
If the inclusion of the current domain is necessary, then it should be specified in a custom configuration file in the server-side code, and should not depend upon the host header.
-
If the host header specifically is required to be included in the server-side code then it must be validated from a list of whitelisted domains.
-
Disable the support of Host override headers like X-Forwarded-Host, X-Forwarded-For, etc.
Related Blogs
What is Account Take Over Attack (ATO)?
ATO Attack Series 1: Cross-Site Request Forgery Account Takeover
Start Protecting your Credentials Today! Get in touch with CSW for Red Teaming and VMaaS services.