Posts

Love Story Of A Account Takeover (Chaining Host Header Injection To Takeover Someones Account)

Image
First Write-up. So Recently i was discovered a Host Header Injection [Ex: radiact.com ]. Basically when i was testing for “ Password Reset Function ”. I notice that we can Redirect by changing the name or adding a extra header “ X-Forwarded-Host ”. So changing this host to evil.com will redirect you to evil.com . But as we know reporting simple Host Header Injection with a redirection is not enough to make it more impact. So i simply kept this aside and looking for more interesting behavior. I requested a reset token and tried to redirect and capture the referer but no luck. Well looking forward and i was noticed by a parameter called “ redirect_to_referer=yes ”. I dig into it and i understand that if we login with that parameter it will redirect us to the referer. Well i visited our reset token which i generated before Let’s take it as “EX:  radiact.com/reset?token=abc ” and then i go back to the login panel and Sign In with my credentials and captured that reque