Host header injection in forgotPassword will lead to account takeover

[AmirhosseinBidokhti]

In "forgotPassword" functionality when the link to resetPassword is being created and send to user's email (const resetURL = ${req.protocol}://${req.get('host' )}/api/v1/users/resetPassword/${resetToken};) the host header is being dynamically selected from the HTTP header and there is no check here. The attacker can simply change it to their own host and when the user receives the email and clicks on the link, the token will be sent to the attacker host, then they can change their victim's password.

[4PT3SR]

@AmirhosseinBidokhti , which way would you suggest one does it??

[AmirhosseinBidokhti]

@void-4 don't know what is the best practice here but you can simply hard-code the host that your API is on or maybe create a list of trusted hosts and check the req.get('host') against that whitelist before creating the final link.