Shulou(Shulou.com)05/31 Report--

How to use password reset function to construct HTTP Leak to achieve arbitrary account hijacking, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

HTML injection in password reset request

During the password reset function test for the target application service, I found the following POST request between the server and my password reset test account, that is, it automatically sends the following email to the password reset user's mailbox, reminding the user to click the appropriate reset link [RESET LINK] to change the password, which is a HTML email format:

If you look closely, you can see that the emailBody uses a template style, so next, let's see if it can be used here and if we can inject something into it. So, I inserted a tag into it, as follows:

In this way, in my password reset test user mailbox, I received the following email. Notice that after my newly added click, there is a password change link that needs to be clicked on for password reset, that is, [RESET-LINK] in the POST request:

It is obvious that the target application service does not securely filter the user input of the HTML mail template, resulting in the emailBody element being controlled by an attacker, which is a typical HTML injection vulnerability. But what impact can it have here? At this point, I suddenly thought of the HTTP Leak attack method, which can be used to see if there is a leak of relevant information, and may be able to get the password reset Token of the corresponding account.

Brief introduction of HTTP Leak attack

The current Web technology contains a large number of HTML elements and attributes, these HTML elements and attributes will request some external resources, and there may be potential sensitive information disclosure in the process of their HTTP requests. For this reason, the famous German network security company Cure53 launched an attack method research project called HTTP Leaks (see Github-HttpLeaks). The purpose of the attack method is to enumerate the information disclosure problems that may exist in all kinds of HTTP requests.

In addition, in some scenarios, you can use HTTP Leak to bypass CSP protection mechanisms, such as @ filedescriptor's "CSP 2015" and @ intidc's "HTML injection can lead to data theft".

For example, in some of the HTML email formats involved in the HTTP request, if there is a HTTP Leak problem, you can use it to know whether the recipient opened or read the email There are also some Web proxy tools that claim that certain websites can be accessed "anonymously", but the rewriting of some HTML elements or attributes will involve HTTP requests from external resources, so if there is a problem of information disclosure, then its claimed "anonymous" protection is out of the question.

Construct HTTP Leak to attack Payload

Here, we need to understand the HTML message format template (you can click here to view Email Templates), in which the password reset request template is as follows:

-Subject: Retrieve your password on {{settings.businessAddress.company}}.

You have requested a password reset, please follow the link below to reset your password.

Please ignore this email if you did not request a password change.

Follow this link to reset your password.

Combined with the HTML email format injection vulnerability of the above password reset request, we can insert Payload in the following format before [RESE-TLINK]:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.