Hijacking accounts with host manipulation using collaborator

Hi everyone,

I am Aditya Shende (Kong) from India. A Bounty Hunter , Biker and Researcher.

This is my 2nd article , If you found any spell error. Let it be…..

Account takeover via host header is known method. If you don't know then click here . I will start with my finding and IMP part is , This is not gonna work on Akamai , CF or any WAFs.

Hunt your targets | Hackers gonna hack.

So as I always say “Use web as normal user”. I was testing for Open Redirects , SSRF with default method which I published in this . Can’t say Host-Header Injection………..

When I open my target with following target.com.burp_collaborator.net/kongsec.php, It gave me HTTP interaction in collaborator with my IP only. I thought to check it on sensitive actions like sharing URL, Downloading private files and obvio reset password.

I received mail like this

Response which I got in collaborator with HTTP interaction.

So this leads to account takeover

Steps to reproduce:

  1. Modify host as : host.com.burplink.net
  2. Forward request from repeater
  3. Reset link in inbox, Click on it . We’ll get reset token

Thanks for read

Hunters after knowing this method to every program….

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aditya Shende

#kongsec | Solo Bounty Hunter | Function Exploits and Report Crafting | Bikes | Not a XSS guy | Own views | Bugcrowd Top 100 l Top 10 P1 warriors | Biker