Host Header Injection In Password Reset

[chimmeee]

Token Leakage via Host Header Manipulation (Host Header Injection)

In the file at passwordResetRoutes.js

The reset link uses: http://${req.headers.host}/reset-password/${token}. Attackers can manipulate the Host header to point to a malicious domain or to other port of the domain:

Since the password reset domain is hosted on an onrender.com subdomain, attackers can manipulate the process by redirecting traffic to another malicious onrender.com subdomain. If the user clicks on the reset link in the email, the attacker could intercept the reset token, leading to account takeover.

Exploiting the issue with a rogue onrender.com subdomain

Fix: define a trusted domain to mitigate Host Header Injection:

Set a predefined trusted domain at the beginning of the password reset process:

const TRUSTED_DOMAIN = process.env.TRUSTED_DOMAIN || "vigybag-backend.onrender.com";

Update the email template to use the trusted domain instead of req.headers.host:

const mailOptions = {
  to: user.email,
  from: "[email protected]",
  subject: "Password Reset",
  text: `You are receiving this because you (or someone else) requested a password reset for your account.\n\n
    Please click the following link or paste it into your browser to complete the process:\n\n
    ${TRUSTED_DOMAIN}/reset-password/${token}\n\n
    If you did not request this, please ignore this email, and your password will remain unchanged.\n`,
};

[github-actions]

Thank you for creating this issue! We'll look into it as soon as possible. Your contributions are highly appreciated! 😊

For more information, join the official Discord.