Password Cache Poisoning is a kind of host header injection. I have already written post on host header Injection so, we will directly jump into practical steps to find this vulnerability!
Method 1:
Steps:
1. Go to forget password link on any website.
2. Intercept that request in burp suite.
3. Change host to any.com
4. Click go.
Method :
Steps:
1. Go to forget password link on any website.
2. Intercept that request in burp suite.
3. Add header "X-Forwarded-Host: any.com"
4. Click go.
Now if you receive that reset password link from any.com server then you can successfully claim that vulnerability!
Impact
The victim will receive the malicious link in their email, and, when clicked, will leak the user's password reset link / token to the attacker, leading to full account takeover.
A video tutorial will be added to instagram page : @thehackingmonks
Comments