Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add Password Reset Token Leakage via Host Header Poisoning on Password Reset Function

See original GitHub issue

Summary: I would like to propose an addition to the VRT for Token Leakage via Host Header Poisoning on Password Reset function. I have found this vulnerability on several programs and have not found an appropriate vulnerability in the VRT.

Scenario: An attacker is able to send a password reset request for a user’s account with the Host: header set to their server. When the user receives the password reset email, it arrives from the legitimate email address, however, the host header poisoning causes the password reset link to point at the attackers server. If the victim clicks on the password reset link, the password reset token is sent to the attacker’s server where it can be retrieved from server logs. The attacker can then take this token and use it to takeover the account.

Impact: I believe that this should have a technical severity of P2 as this can be used to takeover an account, however, it does require user interaction.

VRT Suggestion: I’m not sure what the best category for this would be. But here’s a shot: P2: Sensitive Data Exposure > Weak Password Reset Implementation > Token Leakage via Host Header Poisoning

Issue Analytics

State:
Created 5 years ago
Reactions:2
Comments:6 (4 by maintainers)

Top GitHub Comments

1reaction

plr0mancommented, Jan 4, 2019

After additional review the team agreed that while Server Security Misconfiguration might be a slightly better fit for this entry, it is not ideal to add yet another Weak Password Reset Implementation subcategory there. That being said we’ll go with the initial recommendation, which has already been pushed to #205.

1reaction

plr0mancommented, Dec 14, 2018

A quick update here. We decided to change the category from Sensitive Data Exposure to Server Security Misconfiguration: P2: Server Security Misconfiguration > Weak Password Reset Implementation > Token Leakage via Host Header Poisoning

Top Results From Across the Web

Password reset poisoning | Web Security Academy

Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into generating a password reset link pointing to a domain ......

Host Header Injection On Password Reset Functionality An ...

Password Reset Poisoning : Application usually generate a secret token by using host header functionality. To create the password reset link they use...

Reset/Forgotten Password Bypass - HackTricks

Request password reset to your email address · Click on the password reset link · Dont change password · Click any 3rd party...

Password Reset Poisoning | Host Header Injection - YouTube

During this video we look at the a scenario where an attacker use password reset poisoning technique in a vulnerable application to change...

10 Password Reset Flaws | CyPH3R

Common security flaws in password reset functionality compiled from twitter, writeups, disclosed reports. [1] Password Reset Token Leak Via Referrer.