Account Takeover [Via Host Header Injection]
Hi Techies!
This is my 19th blog on web application security penetration testing and 4th blog on Account Takeover Blog Series. In this blog I will explain about Account Takeover [Via Host Header Injection] Attack. In my last blog, I have explained about Session Fixation Hope everyone liked it. If you haven’t read it yet please follow along.
What is Host Header Injection?
It is common practice for a web server to host several websites or web applications on the same IP address. This is the reason host header exists. The host header specifies which website or web application should process an incoming HTTP request. The web server uses value of this header to dispatch the request to the specified website or web application.
Each web application hosted on the same IP address is commonly referred to as a virtual host. Many web applications rely on HTTP header to understand where they are. But unfortunately, many application developers don’t know that HTTP header is controlled by user and in application security, user input is always considered as safe. Thus, never trust any input without validating it.
How to Test for Host Header Injection?
Navigate to the website,
1. Intercept the request going to web server using burp suit
2. Add website to scope show in scope item only.
3. Target any URL which has status code 200/201/202/203/204/300/301/302/303/304
4. Move the request to repeater.
5. Change host from original domain to -> Host: evil.com OR http://bing.com. Click on GO. If HOST value set as bing.com in response header then there is HHI.
6. If not working, keep host value to http://evil.com OR http://bing.com and X-Forwarded-Host: realHost.com
7. if not just reverse it. Set Host: realhost.com and X-Forwarded -Host as http://evil.com OR http://bing.com
8. If none of the above is not working, set Host as a evil.com and remove cookie header.
9. If none of the above works, try changing referrer header to https://evil.com
10. Sometimes if the original domain is abc.com, change it like Host: evil.com/www.abc.com
Detecting Host Header Injection: I have Changed Host Name to http://bing.com and same header value reflected in web server response as shown below.
Account Takeover POC:
I have tested one of the website in the private program. let’s consider it as redacted.com to maintain confidentiality of the domain. Website has Forgot Password functionality which were sending Password Reset Link to User’s email based on the Host header value. Below is the step by step POC.
- Click on the Forgot Password Functionality and Enter User’s Username and Email for which password has to be reset.
2. Capture the request in Burp Suite proxy tool. Request looks like as below screenshot. Take the Request to the repeater.
3. Enter the Attacker’s domain Name or IP into Host Header value. I have used Python web server’s IP(172.20.38.10). You can use ngrok server URL (for e.g. https://randomString.ngrok.io) instead of python web server if you want.
Click on the Send button and notice response 301 which shows move permanently to specified location.
4. I have received Password Reset link via Email with Python Web Server IP which was running on (172.20.38.10) and must remember this is attacker controlled IP/web server.
Note: If you have used ngrok server url (for e.g. https://randomString.ngrok.io) and having netcat listening enabled on assigned port then the password reset link will be sent to the selected victim email in the format https://randomString.ngrok.io/password_token
Now the Actual attack begins here, Attacker send this malicious crafted URL to the legitimate user’s of the website by any medium like, phishing attack. Important thing is to feed this malicious URL to the victim.
5. Once the victim opens the password reset link, the password reset token will be received on Attacker Controlled Python Web Server Listener as shown below.
7. The attacker can then proceed to reset the victim’s account password resulting to its full account take over.
As shown in below screen, Attacker able to change the password of the victim successfully.
If you wanna use ngrok instead of Python web server then here is the link for “How to use ngrok in kali Linux?” You can download and install for your machine like ubuntu or whatever flavor it is.
Here is the blog which shows Account Takeover [Via Host Header Injection]using Ngrok server.
Impact:
Attacker can takeover any legitimate user’s account by generating password reset link. In this case attacker will remove his own legitimate token to change the password’s of other user’s by just knowing their usernames.
Attacker can send malicious crafted link to the victim’s email and Once the victim opens the password reset link, the password reset token will be received on ngrok and netcat through the listening port. The attacker can then proceed to reset the victim’s account password resulting to its full take over.
Remediation:
· Validate host header before use. Do not trust host header blindly, do not rely on Host header completely.
· Whitelist allowed host header hostnames.
· By checking invalid input injection in Host header.
References:
OWASP Host Header Injection Testing:
Above attack is exploited by Mr. Wasim Shaikh (Cyber Consultant).
If you are enjoying reading my blogs, kindly claps and show your interest by commenting and following me on Medium and LinkedIn.
Please do like and follow for more reads!
Thanks!