How i am able to Steal email verification token By Host header Poisoning
Greeting Everyone ! I am pallab Twitter (@PJBorah2) Today I going to share my first Accepted p2 Bug I found on Bugcrowd Private program How I found Host header Poisoning token leak that allow me to bypass confirmation schema of targeted domain .
As Im Hunting On target site xyz.com First thing I Done My Recon Process so I try to gather all the subdomain So here I used subfinder + httpx and I collect all subdomain with their status code , As basically after using both combine tool I Look for Only 200 & 302 Response .
Command I used:
subfinder -d target.com-silent | httpx -title -content-length -status-code
After That I got Subdomain and I look for all the subdomain with Their Response code 200 & 302 As I spend My 1 days As I Basically spend at least 2 hrs for one subdomain so after I choose another subdomain it looks like
So Here functionality that we can create Account . Before Creating Account I Always gathered some Information as i used tools,
Then I gathered Information about target then i start my testing on targeted domain. Now, Let’s skip everything Let’s Reproduce How i able to Steal email verification token due to Host Header Poisoning .
Reproduce Of Testing Steps:
I visit https://ground.target.com/ And Created New account Fill up form with Victim Email Which I am not authorized And capture Request Using Burp:
In Request Section I see Functionality Based On Some third party API Service but it carried Original domain In Request section as “domain ” parameter As You see below request: ,
Now, As above Here Change Request:
So i replace in domain name to attacker domain , and forward this request.
Here As I used ngrok Server to capture request As Below Picture I Have confirmation token Which leak Through My supplied Server When the victim clicks the link ,
I successfully Submitted this Vulnerability With full proof o concept and finally I awarded with point because it was point only Bugcrowd private program.
Thank You , Hope You Enjoyed!
Stick With me On: Twitter PJBorah2
Linkedin: Pallab Jyoti Borah