I understand that, in order to exploit this type of vulnerability, I need to create a website that uses the same domain name I replaced in the Host header. Thanks for the video !! 👍
today , while testing one of bb website, i see when i go to signup using phone number , the otp is leaked in response of burp suite. & i can login/signup with any phone number. when i have submited , then the trigger marked as N/A.
@@4xoxo0 after completed verification by the otp. I can get in response. Its not be a vulnerability. But that's is not a good practice for a web application. They should use only valdation result in response.
@@Ak1r4Yuk1 That's not what the attack is! Once the victim clicks on the link and redirected to attacker's website.. The attacker will receive the reset password token on their server logs They can then use it to reset the password on behalf of victim
@@BePracticalTechyou should include those words inside the video to give viewers the complete info about the vulnerability... Anyway video is informative....
I can understand this may feel simple for you but not for others(specially beginners) i feel it's my job to let my subs know about all kind of possibilities whether it is simple or advanced
@@BePracticalTech Yes but you should always add some impacts like what advantage we got through the vulnerability and how we got. That makes sense for beginners and pro both. ❤
The video is missed last and most important part: Attacker can redirect user the remote website and the attecker got the victim password reset token! And before victim using the tocken attecker can reset the password and takeover the account🎉
Hi there, Let me explain it to you Attacker's Perspective 1. Attacker intercepts the request 2. The he changes the email address field to victim's account(victim@gmail.com) 4. Changes the host header to his controlled domain(like attacker.com) 5. Sends the request Victim's Perspective: 1. Victim clicks on the link send to his email (since it will originate from legitimate email address, many people won't suspect it as malicious link) 2. They will be redirected to attacker's website. At this point, the attacker will have the reset token for victim's account which he can use to reset the victim's password. This is known as one click account takeover because of reset password link poisoning
Article Link: medium.com/@deepanshudev369/interesting-story-of-an-account-takeover-vulnerability-140a45a058a3
I understand that, in order to exploit this type of vulnerability, I need to create a website that uses the same domain name I replaced in the Host header. Thanks for the video !! 👍
Great video, Thank you brother, your videos always add values.
Great video. Your videos always helpful. Thanks you very much
Nice explanation
Great brother . Plz solve all portswigger lab
Very nice
Can you explain through vidoe that we can perform ATO step by step
Thanks for the video is there way we can get the reset token before it going to mailbox .
@@rohankar1307 Unfortunately, no
Nice one
Shall we try these bypass methods in cors too.
Nice 👍
please what’s the telegram link
telegram.me/bepracticaltech
today , while testing one of bb website, i see when i go to signup using phone number , the otp is leaked in response of burp suite. & i can login/signup with any phone number. when i have submited , then the trigger marked as N/A.
@@4xoxo0 after completed verification by the otp. I can get in response. Its not be a vulnerability. But that's is not a good practice for a web application. They should use only valdation result in response.
Then add hackerone mediation team!
but u did not use the burp collaborator
Do you have a video on host header injection? I want to learn that first
@@om3726 Not as of now.. But I'll definitely plan to release it soon
Lab tutorial please 😢
Ok but the link for password reset works only on that domani, so if you change It link Will do nothing. It Just work in subdomains
@@Ak1r4Yuk1 That's not what the attack is!
Once the victim clicks on the link and redirected to attacker's website.. The attacker will receive the reset password token on their server logs
They can then use it to reset the password on behalf of victim
@@BePracticalTechyou should include those words inside the video to give viewers the complete info about the vulnerability...
Anyway video is informative....
woww..👍
Bro so simple video did not expected From you
I can understand this may feel simple for you but not for others(specially beginners) i feel it's my job to let my subs know about all kind of possibilities whether it is simple or advanced
@@musawerkhan9817 yeah long time ago
@@BePracticalTech Yes but you should always add some impacts like what advantage we got through the vulnerability and how we got. That makes sense for beginners and pro both. ❤
The video is missed last and most important part:
Attacker can redirect user the remote website and the attecker got the victim password reset token! And before victim using the tocken attecker can reset the password and takeover the account🎉
Its a host header injection. I don’t understand how it was cause of ATO
Hi there, Let me explain it to you
Attacker's Perspective
1. Attacker intercepts the request
2. The he changes the email address field to victim's account(victim@gmail.com)
4. Changes the host header to his controlled domain(like attacker.com)
5. Sends the request
Victim's Perspective:
1. Victim clicks on the link send to his email (since it will originate from legitimate email address, many people won't suspect it as malicious link)
2. They will be redirected to attacker's website.
At this point, the attacker will have the reset token for victim's account which he can use to reset the victim's password.
This is known as one click account takeover because of reset password link poisoning
@BePracticalTech okay bro. I Really glad to get your reply. Its captivated me. Understand, everything now cristal clear
👍
First 🔥