Hijacking accounts with host manipulation using collaborator
I am Aditya Shende (Kong) from India. A Bounty Hunter , Biker and Researcher.
This is my 2nd article , If you found any spell error. Let it be…..
Account takeover via host header is known method. If you don't know then click here . I will start with my finding and IMP part is , This is not gonna work on Akamai , CF or any WAFs.
So as I always say “Use web as normal user”. I was testing for Open Redirects , SSRF with default method which I published in this . Can’t say Host-Header Injection………..
When I open my target with following target.com.burp_collaborator.net/kongsec.php, It gave me HTTP interaction in collaborator with my IP only. I thought to check it on sensitive actions like sharing URL, Downloading private files and obvio reset password.
I received mail like this
Response which I got in collaborator with HTTP interaction.
So this leads to account takeover
Steps to reproduce:
- Capture request of reset password
- Modify host as : host.com.burplink.net
- Forward request from repeater
- Reset link in inbox, Click on it . We’ll get reset token
Thanks for read