SECURITY BUG: Host Header Injection in src/password-reset/password-reset.service.ts

There seems to be a Host header injection vulnerability in line 26 of src/password-reset/password-reset.service.ts

What is Host Header Injection?

When an application trusts the Host header without validation, attackers can manipulate it to poison the cache, conduct open redirect attacks, or bypass security controls, potentially leading to account takeover or unauthorized access. This vulnerability occurs because the app assumes the Host header's value without verification, impacting how it constructs URLs or routes.

In the following code, the backend trusts the host header value and and uses it to construct the password reset link:

    //host header is used to construct the reset link !
    const resetLink = `http://${req.headers.host}/password-reset?userId=${user.id}&token=${token}`;

    const emailOptions = {
      recipient: user.email,
      subject: 'Password Reset',
      content: `Please click on the following link to reset your password: ${resetLink}`,
    };

Proof-of-concept:

We trigger the forgot password functionality for an existing user, such as victim1@email.com, and provide a malicious host header: Host: attacker-controlled.com.
This sends a password reset email to victim1@gmail.com that contains the following:

Please click on the following link to reset your password: https://attacker-controlled.com/password-reset?userId=<USERID>&token=<TOKENHERE>

Note the host being attacker-controlled.com.
When user victim1 clicks the link and attempts to use the password reset token, the token is leaked to the attacker, allowing the attacker to reset and take over the victim's account.

Mitigation:

The best mitigation I can think of is to store a trusted domain as environment variable and then use that to construct the reset link.

Note: A CVE has been assigned for this vulnerability - CVE-2024-51329
PoC - https://github.com/redtrib3/CVEs/tree/main/CVE-2024-51329%20-%20Host%20Header%20Injection

idrsdev / agile-board