Account Takeover Through Password Reset Poisoning

Introduction :

Hello, I am Vishal Bharad, I am Mechanical Engineer :D and working as Penetration Tester. I’m here to share about my findings on Full Account Takeover.

About the Vulnerability :

For Discovering the bug I have tested many tricks on the website. Assume redacted.com. When finding the bugs i decided that find some bugs on Forget Password Page.

I tried on many websites about 6 to 8 hours. Then after so many attempts I have found a big and interesting vulnerability which leads to Full Account Takeover

Tools Used for this Vulnerability:

1. BurpSuite
2. Ngrok Server

Steps to Reproduce:

1. Go to https://redacted.com/users/forgot_password and type username to get forget password link.
2. Capture this request in Burpsuite and add X-Forwarded-Host: bing.com

3. Then forward the request and check your email. You got an email of Password reset with token. Which looks Like (https://bing.com/users/reset_password/tqo4Xciu806oiR1FjX8RtIUc1DTcm1B5Kqb53j1fLEkzMW2GPgCpuEODDStpRaES)

Here token is Leak to the bing.com. So Now to confirm this token is True or not. Put https://redacted.com instead of…