Thursday, February 25, 2021

Hijacking Reset Password Link in via Host Header Poisoning (Write Up)


Summer last year while playing with google dorks I found a random external bug bounty program which is an adult website that allow user to interact each other through chat. The app is similar to tinder.

Since they have a bug bounty program, I tried doing a recon with their domain. fired up my recon tools to gather subdomains, directories and etc... 

So while my recon tools are doing their things, I started up testing the login and reset password page after I signed up for an account and found a simple bug on the reset password.

Long story short, I found a Host Header Hijacking/Poising issue in which allow me to manipulate the host header during the reset password procedure. The issue allow me to change the reset password link after changing the value of the Host.

--Proof of Concept--



Title: Vulnerability Issue (Host Header Hijacking)
Reported: Jul 11, 2020, 3:31 AM
Rewarded: Jul 16, 2020, 5:25 AM ($50)

Hi Evan,

Thanks for your submission with a very clear PoC.

While we do already have some development in the works to address this known issue, we appreciate this demonstration of a new way to exploit this issue and would like to offer you a $50 reward. Would you mind re-confirming that your paypal email is still <redacted> 


Best regards,

Bug Bounty

Reference of this issue: (Cheers to James Kettle @albinowax)

I hope you enjoy this write up. Stay safe and have a great day y'all!

“Only those who dare to fail greatly can ever achieve greatly.”

― Robert F. Kennedy