Hello guys, welcome back👋👋👋
Hope you all doing well and hope my articles are being helpful to you all. I have been learning these vulnerabilities and sharing my insights with you, as well as practicing for myself. As I mentioned in my last post, about my finding it turned out to be a duplicate one again🥲. But no issues, let us keep practicing and one day we will get it. Okay, talks aside. Let us today learn about Token Leakage. This can be found out in two ways. We will learn both ways. Without any due let us dive into our maze.
What is a Token
First, let us know what is a token. In digital terms, a token is a piece of information issued for a particular work. For example, in customer service when we raise an issue we will be provided a token or kind of a ticket to keep track of our issue. Such are called tokens, they are helpful to keep track of our information/issue or whatever purpose it is issued for. It is a special one(confidential) if it is being used for some sensitive information travel.
So by the term Token Leakage, you would have understood that the token is being leaked, and as we have already been known that nothing in this digital space is useless and everything can be used against something. So this token contains information that can be vulnerable. So it is our duty to make sure that such critical information is not being sent out.
The two ways in which such token leakage can be found are via Host Header and via Referrer. Let us learn both of them in brief.
Token Leakage via Host Header Poisoning
Host header is a piece of information in addition to the IP address and port number which can be used to uniquely identify a web domain or application server. If the token can be leaked using this host then it is called token leakage via host header poisoning. I am taking the scenario of the Password Reset page.
How to find
Open up your browser(I like to use Firefox) and Burp Suite(or another proxy you like).
Visit the forgot password page (/home/login/forgot_password)
Enter the victim’s email address and click on Reset Password.
Intercept the HTTP request in Burp Suite & change the Host Header to your malicious site/server.
Example:
Request for password change function before changing the host
Request for password change function after changing the host to evil.com
(The above images are just for reference and they are not taken from any website) So now after you forward the request if you are redirected to the malicious server and the victim gets an email from that malicious site we set as host(here evil.com), then it is a vulnerability.
It is a P2 in Bug crowd and it is not that hard to find out, but it is not that easily available. So you really have to look for it.
Token Leakage via Referrer
This can again happen in 3 ways
Trusted 3rd party — P5
Untrusted 3rd party — P4
Over HTTP — P4
A Referrer is something that points out another thing. We see many icons in emails that point out to other URLs, such as an Instagram icon referring to an Instagram page. Such is the referrer we are going to discuss.
How to find
Send out a password reset link to your account.
Open Password reset page from the inbox.
Click on any social media link you see in that email.
Intercept the request using burp suite.
You can see the link for reset password in the referrer.
If you can see this from a trusted 3rd party then it is a P5, if it is from an untrusted 3rd party it is a P4, and if it is from HTTP it is also a P4.
So now you know how to find one of these vulnerabilities, so practice and try to find one. As I said it is easy to find one but they are not easily available. So look out and don’t lose your hope.
That’s all from my side today and catch you up again in the next post with another vulnerability. I would love to hear your feedback and improve myself. Check out my Instagram to get more updates and tricks.
Till then take care and Happy Hacking!!!👋👋
