For account takeover:
Nowadays a single web-server is used to deploy more than one application. It means all application resolves the same IP-address. So to avoid confusion. a host header is used because the host header specifies which request has to move which application.
Host header attack is very common in cloud infrastructure and many application takes help from host header to understand where they are.
How to bypass:
· By providing any random domain in host header. If in response, we get 200 Ok.
· By providing same domain but with random port in host header, if still we get 200 Ok in response.
· X-Forwarded-Host: By using it we overwriting Host header value.
· By injecting same Host Header twice
· By supplying an absolute URL: Generally, web servers work on relative path but sometimes application accept absolute path host header.
What vulnerability we can exploit by changing host header:
· Web cache Poisoning: Attacker poisons web-cache of the website so anyone who visits the cached page gets infected
· Password Reset Poisoning: Application usually generate a secret token by using host header functionality. To create the password reset link they use domains mentioned in the host header and append it with the password reset token.
For example if the value of host header is google.com then the password reset link will look like this google.com/password-reset-token.
Attacker can use a malicious domain which attacker controls to generate a token using the email/username of the legit user. The legit user will receive the link in which attacker domain was appended with the password reset token. If legit user click on password reset link, the attacker will get the password reset token as the request is sent to a server which attacker controls and using it attacker can change legit user password.
· Attacker browses any application that is vulnerable to Host header injection.
· Attacker modify host header uses and passes his controllable domain in the header to the request that generates the password reset link.
· Now website uses the domain in the host header to generate the password reset link(host header value is used as the domain in the password reset link) which is sent to victim via email.
· User clicks on the link and since attacker controllable domain is appended to it attacker gets the response on his server.
· Attacker extracts the reset token from the request which he got on the server and uses that token to take over the user account.
Here attacker uses password reset poisoning to take a control of legit user account. Some application directly uses Host header in the password reset link.
Go to the password reset of the website and enter any valid username in the field intercept the request using any intercepting proxy.
Attacker changes the Host header, and passes the address of his domain or that domain where he is logging all the requests sent to it.
After forwarding, the request in we got 200 ok in the response.
Users unknowingly clicks on the link thinking that it has been generated from the legit website.
Attacker check domain logs where all the requests sent to the server is getting logged. He checks he as a request with the password reset token.
Now to use “temp-forgot-password-token” of legit user. On the website to change the password of the legit user and he can takeover the account using this.
Check generated token of attacker shown below:
Open this link in the browser and the intercepted request look like shown below:
In above-intercepted request, the attacker replaces his token value with legit user token and forward the request. After forwarding the request, attacker was able to change the credentials of the legit user.
Using new credentials, attacker can log in into a legit user account.