23 Feb, 2024

Password reset poisoning


Nowadays in ethical hacking , cybersecurity field and pentesting  this vulnerability is crucial to be aware of this

A technique known as “password reset poisoning” involves an attacker manipulating a vulnerable website to create a password reset link that points to a domain that is under their control. This activity can be used to compromise users’ accounts by stealing the secret tokens needed to reset passwords for random users.

Almost all websites that demand a login also have a feature that lets users reset their password in case they forget it. There are multiple approaches to this, with differing levels of practicality and security. One of the most widely used methods goes like this:

The user submits a request for a password reset by entering their email address or username.
After verifying that the user is real, the website creates a short-lived, one-of-a-kind, highly entropy token that it links to the user’s account backend.

The user receives an email from the website with a link to reset their password.

The website uses the user’s provided token to identify which account is being reset and verifies its validity when the user accesses this URL. The user can choose to enter a new password if everything checks out as it should. The token is ultimately destroyed.
Compared to some other methods, this procedure is fairly safe and easy to follow. But its security is predicated on the idea that the intended user alone can access their email inbox and, consequently, their unique token. One way to change another user’s password is by stealing this token through a technique called password reset poisoning.


In this example, we will split into the roles of victim and abuser

Step one (attacker)
We forge the original link

We will use the Burp set and try to find the victim’s password reset request and change the hostname in it to verify the functionality
changing the host name to ours.


The attacker’s host is called evil-host.net.
that’s the name we’ll enter in the Host line.

Now as a victim, we follow the link that leads to the password reset.

Victim wrote nickname so that the system could find the user and send a link to recover the password.

After the victim clicked on the link, the attacker goes to the acsess log where he sees a different IP address from his, so it is the victim’s IP address, the victim unknowingly passed a temporary authentication token, which we use further on.

Now the bad guy’s got the token.

The attacker, using the original link that he was able to capture earlier, adds an authentication token and is able to change the password.

The attacker enters the token number in the URL

Goes further to the personal cabinet and changes the password to your own

It’s a done deal – password successfully changed,  account stolen.

Code example


					from flask import request, render_template

@app.route('/reset', methods=['POST'])
def reset_password():
    user_email = request.form['email']
    reset_link = "http://" + request.headers['Host'] + "/reset/" + generate_token(user_email)
    send_email(user_email, reset_link)
    return render_template('reset_sent.html')



					if (isset($_POST['email'])) {
    $userEmail = $_POST['email'];
    $resetToken = generateToken($userEmail);
    $resetLink = 'http://' . $_SERVER['HTTP_HOST'] . '/reset.php?token=' . $resetToken;
    mail($userEmail, "Password Reset", "Follow this link to reset your password: " . $resetLink);



					app.post('/reset', function(req, res) {
    var userEmail = req.body.email;
    var resetToken = generateToken(userEmail);
    var resetLink = 'http://' + req.headers.host + '/reset/' + resetToken;
    sendEmail(userEmail, resetLink);


In these examples, the application constructs a password reset link using the Host header from the incoming request, which an attacker could manipulate

Methodology and Checklist

1. Identify Password Reset Feature:

Find where in the application the password reset feature is located.

2. Intercept Reset Request:

To intercept the request to reset the password, use a proxy tool.

3. Manipulate Host Header:

Change the Host header to an unexpected value or a domain under the control of the attacker.

4. Analyze Response:

Verify whether the email or response data’s reset link makes use of the manipulated Host value.

5. Test Link Behavior:

Check if the link takes you to an attacker-controlled website by clicking on it (in a secure setting).

6. Repeat with Variations:

Experiment with various Host header iterations, incorporating popular bypass methods.

7. Document Findings:

Keep track of the actions, reactions, and any effective exploitation strategies.

Software and tools

Manual Tools

1. Burp Suite



Extension “Host Header Attack”
Change the Host header and intercept requests for password resets. Keep an eye out for updates to password reset links in emails or responses that are sent out.




Requester to craft or alter HTTP requests by hand.
Change the Host header in password reset requests using the manual request editor, then examine the application’s response.

3. Tamper Data (Browser Plugin)



Before sending the request for a password reset, tamper with HTTP requests straight from the browser by changing the Host header.

Automate Tools

1. Nmap


Scripting engine can be used to automate custom HTTP header attacks, even though it does not directly test for Host header injection.

2. Sqlmap


Well-known for SQL injection, can also be used to test header injections by using the –headers option to specify custom headers.

3. WFuzz


A fuzzing tool for testing different inputs, such as HTTP headers. Utilize it to test various Host header values automatically.

4. Commix


All-in-one OS command injection and exploitation tool that is automated. It can be used to check for vulnerabilities related to command injection that could be made public by host header poisoning.

CVSS Score

Depending on variables like the following, the password reset poisoning CVSS score could be anywhere from Medium (4.0-6.9) to High (7.0-8.9).

Scope: Whether an attacker can traverse boundaries due to the vulnerability (e.g., from network to application).
Impact: The extent to which the vulnerability may have an impact on the system’s availability, confidentiality, and integrity.

Exploitability: The degree to which an attacker can easily take advantage of a vulnerability given the necessary privileges and user interaction.
Each occurrence of this vulnerability would need to be evaluated according to its unique attributes and the possible impact on the compromised system in order to obtain an accurate score.


1. CWE-601: URL Redirection to Untrusted Site

When a request is made to a URL, and the application sends the user there without properly validating the request; this could be used as bait for a password reset attack.

2. CWE-290: Authentication Bypass by Spoofing 

If a hacker is able to control the password reset procedure, they can get around authentication safeguards.

3. CWE-20: Improper Input Validation

If the program malfunctions in correctly validating input used in operations that are sensitive to security, like creating links to reset passwords.

Top CVEs

Because password reset poisoning vulnerabilities are frequently reported under more general categories like cross-site scripting (XSS), open redirect, or improper authentication, it can be difficult to identify the top CVEs (Common Vulnerabilities and Exposures) specifically related to this issue. Nonetheless, flaws that permit related attack methods, like header injection or open redirects, can shed light on potential exploits for password reset poisoning. As examples, consider:

1. CVE-2019-14833

A Micro Focus Service Manager vulnerability allowed for the possibility of phishing attacks and user redirection to random websites via specific unauthenticated URLs.

2. CVE-2018-1000007

Attackers were able to get around planned access restrictions in Electron prior to versions 1.7.13, 1.8.4, and 2.0.0-beta.3 by using a crafted URL.

3. CVE-2020-5410

Applications can supply arbitrary configuration files through the spring-cloud-config-server module for Spring Cloud Config, versions 2.1.x before 2.1.9, versions 2.2.x before 2.2.3, and older unsupported versions.

Popular exploits

1. Host Header Manipulation:

By altering the Host header of the HTTP request, an attacker can trick the application into creating a password reset link that points to a malicious domain while sending a password reset request.

2. Open Redirect Vulnerabilities:

An attacker could create a password reset link that first reroutes to the official application and then to a page under their control, where they could retrieve the reset token, if the application has an open redirect vulnerability.

3. Email Parameter Injection:

If the application concatenates user input unsafely, an attacker may be able to manipulate the password reset email to include malicious links or content by injecting extra parameters or headers into email fields.

4. Cross-Site Scripting (XSS) in Email Templates:

An XSS payload could be injected into the password reset email by the application if user input used in email templates is not properly sanitized, which could result in account takeover.

5. Subdomain Takeover:

An attacker can obtain reset tokens sent to users if the application creates password reset links that point to a subdomain they can control (for example, because the domain registration has expired).

6. Referrer Header Spoofing:

After a password reset attempt, an attacker could use the Referer header along with other vulnerabilities to reroute users to malicious websites.

7. Session Fixation via Password Reset:

A password reset flow could be used by an attacker to fixate a session identifier and access the user’s account after it has been reset.

8. Cache Poisoning to Serve Malicious Password Reset Pages:

A vulnerable application’s cache or an intermediary proxy could be contaminated by an attacker, allowing them to send victims malicious password reset pages.

9. IDN Homograph Attack in Reset Emails:

Persuading users to click on malicious links in password reset emails is possible for attackers using internationalized domain names that mimic authentic domain names.

10. Manipulating Success/Failure Responses:

Through meticulous observation and manipulation of the application’s responses to password reset requests, malicious actors may be able to deduce legitimate user accounts or manipulate the flow to their benefit.

Courses and Books


1. Web Security Fundamentals by Khan Academy

An approachable overview of the fundamentals of web security, including HTTPS, online vulnerabilities, and secure design concepts.

2. The Complete Web Application Hacking & Penetration Testing Course

This course covers a wide range of web application vulnerabilities and provides useful advice on how to test and secure web applications against different types of attacks, such as session management and authentication-related ones.

3. Web Application Penetration Testing Professional (WAPTP v3.1)

A comprehensive course aimed at intermediate to advanced students that focuses on real-world penetration testing abilities for web applications, such as locating and taking advantage of authentication mechanism weaknesses.

4. Hacking and Patching by the University of Colorado

This course offers a hands-on approach to web security, covering topics like password management and session handling, with practical exercises on finding vulnerabilities and patching them.

5. Advanced Web Attacks and Exploitation (AWAE) 

This course, which is aimed at seasoned penetration testers, delves deeply into sophisticated web application exploitation methods and provides insights that can be used to find and fix sophisticated vulnerabilities like password reset poisoning.


1. The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws

A thorough manual on web application security that addresses many different aspects, such as session management and authentication flaws that are important to comprehending password reset poisoning.

2. Hacking: The Art of Exploitation, 2nd Edition

This book offers a deep dive into the world of exploitation, providing foundational knowledge applicable to web security, even though it is not specifically focused on web applications.

3. Web Hacking 101

This book provides insights into web application vulnerabilities, including those pertaining to authentication and session management, by focusing on real-world vulnerabilities and how they were found and exploited.

4. Black Hat Python: Python Programming for Hackers and Pentesters

This book examines the use of Python for a variety of hacking tasks, such as web application security testing, which may be useful in locating and addressing vulnerabilities linked to password resets.

5. Penetration Testing: A Hands-On Introduction to Hacking

This book, which is written for novices, goes over the principles of penetration testing, including methods for evaluating and taking advantage of web applications.


A sophisticated attack vector called password reset poisoning finds weaknesses in web applications’ password reset procedures. It takes advantage of the way programs create links to reset passwords, frequently by utilizing user-supplied information like the HTTP Host header, which is susceptible to manipulation by an adversary. Depending on the attacker’s goal and the application’s function within an organization, the effects of such attacks can vary from wider security breaches to unauthorized account access.

Since the password reset procedure is a vital part of an application’s authentication system, its security cannot be emphasized enough. Developers can preserve user accounts and the integrity and reliability of their applications by following best practices in web security and shielding users from the possible risks associated with password reset poisoning.

Other Services

Ready to secure?

Let's get in touch