Password Smuggling Attack

Description

Attack where the attacker is able to receive the token that the website sends to identify the user when resetting the users password. Attacker can take the token and reset this user's password themselves and then login as the user.

This attack is available when there isn't a SSL/TLS certificate for the website and it is using http://, not https://

Process/Steps

  1. Find a forgot password page that asks for a username

    • Must have a valid username

    • might be able to reset admin but usually can't

  2. Intercept the request with burpsuite and change the "Host" request header to an ip we can control (like tun0 or eth0)

    1. Easiest way is to nc -nvlp <port>

      1. You can also do python3 -m http.server 80

    2. Then set the Host header to http://our_ip:port

  3. Send the request and wait for a little bit

  4. Get the reset link received and use that to reset the password for the specified user (might have to decode the url encoding)

    • Note that some tokens may work or some way not work

  5. Login with the new credentials

Mitigation

Problem is caused when the webserver code makes a request for the "Host" header and uses that instead of an environment variable that is always static

Ex: On Flask, request.headers.get('host')

PreviousWeb App Attack TechniquesNextFuzzing with ffuf

Last updated