You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The application constructs password reset (and possibly other authentication-related) links using the Host header from incoming HTTP requests without proper validation.
An attacker can supply a malicious Host header when triggering a password reset for a victim. The generated password reset email then contains a link to the attacker's domain.
If the victim clicks this link, the attacker can intercept the reset token and take over the account.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
🛑 Security Issue: Host Header Injection → Password Reset Link Manipulation → Account Takeover
Severity: High
Vulnerability Type: Host Header Injection, Password Reset Link Manipulation, Account Takeover
Affected Component(s): Password reset email generation logic (e.g., functions using
req.headers.host), authentication flows.Attack Vector: Remote / unauthenticated
🧠 Description
The application constructs password reset (and possibly other authentication-related) links using the
Hostheader from incoming HTTP requests without proper validation.An attacker can supply a malicious Host header when triggering a password reset for a victim. The generated password reset email then contains a link to the attacker's domain.
If the victim clicks this link, the attacker can intercept the reset token and take over the account.
📍 Vulnerable Code Example
The host value is embedded into password reset URLs without any validation
🧪 Steps to Reproduce
Go to the Forgot Password page for a victim account (e.g. victim@example.com).
Intercept the HTTP request (e.g. using Burp Suite, curl, or a proxy).
Modify the Host header to an attacker-controlled domain:
Host: attacker.comSubmit the password reset request.
The victim receives a password reset email with a malicious link:
https://attacker.com/reset-password?token=<victim-token>If the victim clicks the link, their browser connects to attacker.com, leaking the token.
The attacker uses this token on the legitimate site to reset the password and take over the account.
✅ Result: Full account takeover of the victim.
🛡 Impact
Account Takeover of any user whose password reset email can be triggered.
High severity as the vulnerability affects authentication flows.
Can also be used for phishing, session fixation, or open redirect attacks.
🧰 Suggested Remediation
Do not use req.headers.host or any client-supplied header for security-sensitive URLs.
Use a hardcoded, trusted base URL from environment variables or config:
Optionally, validate the Host header against a whitelist if dynamic host resolution is required.
Add automated tests to ensure password reset URLs always use the legitimate domain
Beta Was this translation helpful? Give feedback.
All reactions