V4 - Access Control
Weak Password Reset Implementation - Token Leakage via Host Header Poisoning
POC
1) Click on reset the password on the application 2) Intercept the HTTP request in Burp Suite 3) Change the Host field to www.evilsite.com 4) If step 3 doesn’t work out then add a new header X-Forwarded-Host: evil.com in the request. 5) The user will get a link like http://evil.com/reset_password/token when they click on it, and the attacker receive the reset password token and hijack the user account
Impact
High
Likelihood
High