4PT3SR
commented
2 years ago @AmirhosseinBidokhti , which way would you suggest one does it??
Open AmirhosseinBidokhti opened 2 years ago
4PT3SR
commented
2 years ago @AmirhosseinBidokhti , which way would you suggest one does it??
AmirhosseinBidokhti
commented
2 years ago @void-4 don't know what is the best practice here but you can simply hard-code the host that your API is on or maybe create a list of trusted hosts and check the req.get('host') against that whitelist before creating the final link.
In "forgotPassword" functionality when the link to resetPassword is being created and send to user's email (const resetURL =
${req.protocol}://${req.get('host' )}/api/v1/users/resetPassword/${resetToken};) the host header is being dynamically selected from the HTTP header and there is no check here. The attacker can simply change it to their own host and when the user receives the email and clicks on the link, the token will be sent to the attacker host, then they can change their victim's password.