Skip to content

Host Header Injection in password-controller.js #31

New issue
New issue
Open
Open
Host Header Injection in password-controller.js#31
@SENSEiXENUS

Description

@SENSEiXENUS
SENSEiXENUS
opened on Apr 4, 2025
  • An attacker can reset another user 's account and also inject a malicious host header which will form part of the password reset url and when clicked by the user,the password reset token will be sent to the attacker leading to Account Takeover.
var mailOptions = {
        to: user.email,
        from: '[email protected]',
        subject: 'Reset your password on node-stripe-membership.herokuapp.com',
        text: 'You are receiving this email because you (or someone else) have requested the reset of the password for your account.\n\n' +
          'Please click on the following link, or paste this into your browser to complete the process:\n\n' +
          'http://' + req.headers.host + '/reset/' + token + '\n\n' +
          'If you did not request this, please ignore this email and your password will remain unchanged.\n'
      };
  • E.g
curl [reset-url] -H "Host: malicious.com"

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions