Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add Password Reset Token Leakage via Host Header Poisoning on Password Reset Function

See original GitHub issue

Summary: I would like to propose an addition to the VRT for Token Leakage via Host Header Poisoning on Password Reset function. I have found this vulnerability on several programs and have not found an appropriate vulnerability in the VRT.

Scenario: An attacker is able to send a password reset request for a user’s account with the Host: header set to their server. When the user receives the password reset email, it arrives from the legitimate email address, however, the host header poisoning causes the password reset link to point at the attackers server. If the victim clicks on the password reset link, the password reset token is sent to the attacker’s server where it can be retrieved from server logs. The attacker can then take this token and use it to takeover the account.

Impact: I believe that this should have a technical severity of P2 as this can be used to takeover an account, however, it does require user interaction.

VRT Suggestion: I’m not sure what the best category for this would be. But here’s a shot: P2: Sensitive Data Exposure > Weak Password Reset Implementation > Token Leakage via Host Header Poisoning

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:2
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

plr0mancommented, Jan 4, 2019

After additional review the team agreed that while Server Security Misconfiguration might be a slightly better fit for this entry, it is not ideal to add yet another Weak Password Reset Implementation subcategory there. That being said we’ll go with the initial recommendation, which has already been pushed to #205.

plr0mancommented, Dec 14, 2018

A quick update here. We decided to change the category from Sensitive Data Exposure to Server Security Misconfiguration: P2: Server Security Misconfiguration > Weak Password Reset Implementation > Token Leakage via Host Header Poisoning

Read more comments on GitHub >

github_iconTop Results From Across the Web

Password reset poisoning | Web Security Academy
Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into generating a password reset link pointing to a domain ......
Read more >
Host Header Injection On Password Reset Functionality An ...
Password Reset Poisoning : Application usually generate a secret token by using host header functionality. To create the password reset link they use...
Read more >
Reset/Forgotten Password Bypass - HackTricks
Request password reset to your email address · Click on the password reset link · Dont change password · Click any 3rd party...
Read more >
Password Reset Poisoning | Host Header Injection - YouTube
During this video we look at the a scenario where an attacker use password reset poisoning technique in a vulnerable application to change...
Read more >
10 Password Reset Flaws | CyPH3R
Common security flaws in password reset functionality compiled from twitter, writeups, disclosed reports. [1] Password Reset Token Leak Via Referrer.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found