Pwn Them All #BugBounty
Recently I was Pentesting a private program The web app was built on “Ruby on Rails”, I was testing ‘forgot password’ functionality, of course, why not?
I was surprised when I saw that the endpoint was vulnerable to Host-Header Injection so, here are the steps of how I was able to exploit it. First I fired up python local server running on port 8080 along with ngrok on port 80
I fired up my burp and firefox typed the URL again to capture the request for further testing. I typed my email in the forgot password form, when I intercept the request first I tried every header like
X-Host: evil.com
X-Server: evil.com
X-Forwarded-For: evil.com
X-Forwarded-Host: evil.com
I tried every header and the one which worked for me here was
X-Forwarded-Host: evil.com
Got confirmation about the email has been sent to my email
Original Host replaced by the evil host (ngrok/mine host). Now victims click the link and I GET a request with the password token of the user