Menu Icon

Cobalt Vulnerability Wiki

Cobalt Vulnerability Wiki

Categories

Toggle Arrow IconV2 - AuthenticationToggle Arrow IconV3 - Session ManagementToggle Arrow IconV4 - Access Control
Account takeover via "Forgot your password" functionality Admin panel publicly accessible Admin panel takeover AWS bucket misconfiguration Critically Sensitive Data - Password Disclosure Critically Sensitive Data - Private API KeysCSRF Database Management System (DBMS) Misconfiguration:Excessively Privileged User / DBA Directory Listing Enabled EXIF Geolocation Data Not Stripped From Uploaded Images - User Enumeration Insecure crossdomain.xml policy OAuth Account Takeover OAuth Insecure Redirect URI OAuth Missing/Broken State Parameter Sensitive Token in URL Token Leakage via Referer Weak Password Reset Implementation - Token Leakage via Host Header Poisoning
Toggle Arrow IconV5 - Validation/SanitizationToggle Arrow IconV6 - CryptographyToggle Arrow IconV7 - Error LoggingToggle Arrow IconV8 - Data ProtectionToggle Arrow IconV9 - CommunicationsToggle Arrow IconV10 - Malicious CodeToggle Arrow IconV11 - Business LogicToggle Arrow IconV12 - Files ResourcesToggle Arrow IconV13 - APIToggle Arrow IconV14 - Config
Arrow Left

V4 - Access Control

Weak Password Reset Implementation - Token Leakage via Host Header Poisoning

POC

1) Click on reset the password on the application


2) Intercept the HTTP request in Burp Suite


3) Change the Host field to www.evilsite.com


4) If step 3 doesn’t work out then add a new header X-Forwarded-Host: evil.com in the request.


5) The user will get a link like http://evil.com/reset_password/token when they click on it, and the attacker receive the reset password token and hijack the user account




Impact

High



Likelihood

High


Ready to get started?

our platformschedule a demo
Aircall logoAlgolia logoCangageCredit KarmaDattoEgnyteHubspotMovinimageMulesoftPendoSentaraSmarshSnowSolarisTalkdeskVerifoneKubraAxel SpringerNuna

Join some of these great clients we're proud to have helped