Natours Tour Booking API Host Header Injection Vulnerability Leading to Account Takeover

A vulnerability in the Natours Tour Booking API allows an attacker to take over any user account by injecting a server-controlled domain into the Host header when accessing the /forgetpassword endpoint. This issue arises because the application constructs a password reset URL using the Host header, which can be manipulated by the attacker. The vulnerability is present in version 0.0.1 of the Natours API.

Impact

Exploitation of this vulnerability allows for unauthorized account takeover, giving the attacker access to the victim's account.

Reproduction

To reproduce this vulnerability, send a request to the /forgetpassword endpoint with a modified Host header that includes an attacker-controlled domain. The application will respond by sending a password reset email to the victim that includes a link with the injected domain. When the victim clicks the link, the reset token will be sent to the attacker, allowing them to take over the account.

Remediation

The vulnerability has been fixed by updating the password reset URL construction to use a secure, server-side environment variable that contains the domain, rather than the user-controlled Host header. This change has been implemented in the Natours GitHub repository.