NordVPN: Host header injection/redirection | signup and login page

2019-12-14T06:19:36
ID H1:758380
Type hackerone
Reporter hassancypher
Modified 2020-02-21T11:27:12

Description

Hey Team.

There's a host header injection vulnerability in signup and login page.

If possible, the application should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways: Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs. Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.

Vulnerable URL: https://affiliates.nordvpn.com/signup

Payload: " Host: constitutionclub.in"

How to reproduce this vulnerability:

1.Open this URL "https://affiliates.nordvpn.com/signup" 2.Send it to the repeater in burp suite add the payload to the header request and forward the request. 3.It will directly redirect to constitutionclub.in

Impact

Whenever a user visits this URL, it will redirect them to site.com. It is used in phishing attacks.