Report #32105

Report ID

#32105

Report type

Websites and Applications

Has PoC?

Yes

Target

https://basin.exchange

Impacts

Redirecting users to malicious websites

Description

Hi Team,

I read the policy and saw that Beanstalk is interested in a vulnerability that can redirect the users to malicious websites.

Host Header Poisoning occurs when a web application uses the value of the Host header from an HTTP request without proper validation or sanitization. This vulnerability can lead to several security issues, including cache poisoning, password reset poisoning, and even web cache deception attacks.

Vulnerability Details

It was found that the basin.exchange is not validating the Host header properly which resulted in a vulnerability in a Host Header Poisoning attack, which can lead users to redirect to an external domain that is not under control by Beanstalk.

Impact Details

Malicious users can redirect the victim to external domains that is not controlled by Beanstalk

References

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection

https://portswigger.net/web-security/host-header

Proof of concept

Steps to reproduce: 1. Fire up the following curl command: curl -H "Host: www.x.com" -is basin.exchange -L 2. Observed that the server response is 302 Moved Permanently 3. Check the Final redirect Location is Location: https://www.twitter.com/ curl -H "Host: www.x.com" -is basin.exchange -L HTTP/1.1 302 Moved Temporarily Date: Sun, 09 Jun 2024 06:52:11 GMT Content-Type: text/html Content-Length: 143 Connection: keep-alive Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Location: https://www.twitter.com/ Set-Cookie: __cf_bm=LhE0ihsqG0WIAoBNytNQOQ9nzOOEVUwCrhVVXNOrdGI-1717915931-1.0.1.1-SjBH_0blHhzNGsGgNOVDlzw1Nedk2RfWCOtprGMo27KlA0O2e2BhoHGX591SBa_rKAsHwxiV9exvvh2g7oD7Fw; path=/; expires=Sun, 09-Jun-24 07:22:11 GMT; domain=.x.com; HttpOnly Server: cloudflare CF-RAY: 890f328ddb72bc4b-MNL HTTP/2 301 perf: 7402827104 location: https://twitter.com/ cache-control: no-cache, no-store, max-age=0 content-length: 0 x-transaction-id: 87be57542fab1c9f x-response-time: 91 x-connection-hash: 318cf73dff1db7ffa51664979e16c38afc7f9c9d6fa0eb137931a8e0b4a558da date: Sun, 09 Jun 2024 06:52:12 GMT server: tsa_m HTTP/2 302 date: Sun, 09 Jun 2024 06:52:12 GMT perf: 7402827104 vary: Accept expiry: Tue, 31 Mar 1981 05:00:00 GMT pragma: no-cache server: tsa_m location: https://x.com/ set-cookie: guest_id_marketing=v1%3A171791593243460435; Max-Age=63072000; Expires=Tue, 09 Jun 2026 06:52:12 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None set-cookie: guest_id_ads=v1%3A171791593243460435; Max-Age=63072000; Expires=Tue, 09 Jun 2026 06:52:12 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None set-cookie: personalization_id="v1_jFBbNXWoBr2roDRntwqhbA=="; Max-Age=63072000; Expires=Tue, 09 Jun 2026 06:52:12 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None set-cookie: guest_id=v1%3A171791593243460435; Max-Age=63072000; Expires=Tue, 09 Jun 2026 06:52:12 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None set-cookie: ct0=; Max-Age=-1717915931; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=Lax content-type: text/plain; charset=utf-8 x-powered-by: Express cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 last-modified: Sun, 09 Jun 2024 06:52:12 GMT content-length: 36 x-frame-options: DENY x-transaction-id: 8785e1f10a009662 x-xss-protection: 0 x-content-type-options: nosniff content-security-policy: connect-src 'self' blob: https://api.x.ai https://api.x.com https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://api.x.com https://api-stream.twitter.com https://api-stream.x.com https://ads-api.twitter.com https://ads-api.x.com https://aa.twitter.com https://aa.x.com https://caps.twitter.com https://caps.x.com https://pay.twitter.com https://pay.x.com https://sentry.io https://ton.twitter.com https://ton.x.com https://ton-staging.atla.twitter.com https://ton-staging.atla.x.com https://ton-staging.pdxa.twitter.com https://ton-staging.pdxa.x.com https://twitter.com https://x.com https://upload.twitter.com https://upload.x.com https://www.google-analytics.com https://accounts.google.com/gsi/status https://accounts.google.com/gsi/log https://checkoutshopper-live.adyen.com wss://*.pscp.tv https://vmap.snappytv.com https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com ws://localhost:8008/v2/ipc https://ads-twitter.com https://analytics.twitter.com https://analytics.x.com ; default-src 'self'; form-action 'self' https://twitter.com https://*.twitter.com https://x.com https://*.x.com https://localhost.twitter.com:3443 https://localhost.x.com:3443; font-src 'self' https://*.twimg.com; frame-src 'self' https://twitter.com https://x.com https://mobile.twitter.com https://mobile.x.com https://pay.twitter.com https://pay.x.com https://cards-frame.twitter.com https://accounts.google.com/ https://client-api.arkoselabs.com/ https://iframe.arkoselabs.com/ https://vaultjs.apideck.com/ https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; img-src 'self' blob: data: https://*.cdn.twitter.com https://*.cdn.x.com https://ton.twitter.com https://ton.x.com https://*.twimg.com https://analytics.twitter.com https://analytics.x.com https://cm.g.doubleclick.net https://www.google-analytics.com https://maps.googleapis.com https://www.periscope.tv https://www.pscp.tv https://ads-twitter.com https://ads-api.twitter.com https://ads-api.x.com https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s3-us-west-2.amazonaws.com https://platform-lookaside.fbsbx.com https://scontent.xx.fbcdn.net https://scontent-sea1-1.xx.fbcdn.net https://*.googleusercontent.com https://t.co/1/i/adsct; manifest-src 'self'; media-src 'self' blob: https://twitter.com https://x.com https://*.twimg.com https://*.vine.co https://*.pscp.tv https://*.video.pscp.tv https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net; object-src 'none'; script-src 'self' 'unsafe-inline' https://*.twimg.com https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://client-api.arkoselabs.com/ https://www.google-analytics.com https://twitter.com https://x.com https://accounts.google.com/gsi/client https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js https://www.gstatic.com/cast/sdk/libs/caf_receiver/v3/cast_receiver_framework.js https://static.ads-twitter.com 'nonce-Y2YzZGE1YzYtMmYzNS00Yzc1LTgwMWItNmI1OGQ4ZGVhODEz'; style-src 'self' 'unsafe-inline' https://accounts.google.com/gsi/style https://*.twimg.com; worker-src 'self' blob:; report-uri https://twitter.com/i/csp_report?a=O5RXE%3D%3D%3D&ro=false strict-transport-security: max-age=631138519 cross-origin-opener-policy: same-origin-allow-popups cross-origin-embedder-policy: unsafe-none x-response-time: 107 x-connection-hash: d4d42974ad2d5fa52e05314c60e9415ea2413a3d8bcb3bd07899647305f6d792 HTTP/2 200 date: Sun, 09 Jun 2024 06:52:12 GMT perf: 7402827104 expiry: Tue, 31 Mar 1981 05:00:00 GMT pragma: no-cache server: tsa_m set-cookie: guest_id_marketing=v1%3A171791593278201976; Max-Age=63072000; Expires=Tue, 09 Jun 2026 06:52:12 GMT; Path=/; Domain=.x.com; Secure; SameSite=None set-cookie: guest_id_ads=v1%3A171791593278201976; Max-Age=63072000; Expires=Tue, 09 Jun 2026 06:52:12 GMT; Path=/; Domain=.x.com; Secure; SameSite=None set-cookie: personalization_id="v1_Gqv2+ri5m1cLyrQsIYfbKg=="; Max-Age=63072000; Expires=Tue, 09 Jun 2026 06:52:12 GMT; Path=/; Domain=.x.com; Secure; SameSite=None set-cookie: guest_id=v1%3A171791593278201976; Max-Age=63072000; Expires=Tue, 09 Jun 2026 06:52:12 GMT; Path=/; Domain=.x.com; Secure; SameSite=None set-cookie: ct0=; Max-Age=-1717915931; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=.x.com; Secure; SameSite=Lax content-type: text/html; charset=utf-8 x-powered-by: Express cache-control: no-store, max-age=0 last-modified: Sun, 09 Jun 2024 06:52:12 GMT x-frame-options: DENY x-transaction-id: 0060d015d902fc6a x-xss-protection: 0 x-content-type-options: nosniff content-security-policy: connect-src 'self' blob: https://api.x.ai https://api.x.com https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://api.x.com https://api-stream.twitter.com https://api-stream.x.com https://ads-api.twitter.com https://ads-api.x.com https://aa.twitter.com https://aa.x.com https://caps.twitter.com https://caps.x.com https://pay.twitter.com https://pay.x.com https://sentry.io https://ton.twitter.com https://ton.x.com https://ton-staging.atla.twitter.com https://ton-staging.atla.x.com https://ton-staging.pdxa.twitter.com https://ton-staging.pdxa.x.com https://twitter.com https://x.com https://upload.twitter.com https://upload.x.com https://www.google-analytics.com https://accounts.google.com/gsi/status https://accounts.google.com/gsi/log https://checkoutshopper-live.adyen.com wss://*.pscp.tv https://vmap.snappytv.com https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com ws://localhost:8008/v2/ipc https://ads-twitter.com https://analytics.twitter.com https://analytics.x.com ; default-src 'self'; form-action 'self' https://twitter.com https://*.twitter.com https://x.com https://*.x.com https://localhost.twitter.com:3443 https://localhost.x.com:3443; font-src 'self' https://*.twimg.com; frame-src 'self' https://twitter.com https://x.com https://mobile.twitter.com https://mobile.x.com https://pay.twitter.com https://pay.x.com https://cards-frame.twitter.com https://accounts.google.com/ https://client-api.arkoselabs.com/ https://iframe.arkoselabs.com/ https://vaultjs.apideck.com/ https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; img-src 'self' blob: data: https://*.cdn.twitter.com https://*.cdn.x.com https://ton.twitter.com https://ton.x.com https://*.twimg.com https://analytics.twitter.com https://analytics.x.com https://cm.g.doubleclick.net https://www.google-analytics.com https://maps.googleapis.com https://www.periscope.tv https://www.pscp.tv https://ads-twitter.com https://ads-api.twitter.com https://ads-api.x.com https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s3-us-west-2.amazonaws.com https://platform-lookaside.fbsbx.com https://scontent.xx.fbcdn.net https://scontent-sea1-1.xx.fbcdn.net https://*.googleusercontent.com https://t.co/1/i/adsct; manifest-src 'self'; media-src 'self' blob: https://twitter.com https://x.com https://*.twimg.com https://*.vine.co https://*.pscp.tv https://*.video.pscp.tv https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net; object-src 'none'; script-src 'self' 'unsafe-inline' https://*.twimg.com https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://client-api.arkoselabs.com/ https://www.google-analytics.com https://twitter.com https://x.com https://accounts.google.com/gsi/client https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js https://www.gstatic.com/cast/sdk/libs/caf_receiver/v3/cast_receiver_framework.js https://static.ads-twitter.com 'nonce-YTVkZDA5MGQtMTI3NS00M2QzLTllY2QtNzNkOTQ5NWJjNTA1'; style-src 'self' 'unsafe-inline' https://accounts.google.com/gsi/style https://*.twimg.com; worker-src 'self' blob:; report-uri https://twitter.com/i/csp_report?a=O5RXE%3D%3D%3D&ro=false strict-transport-security: max-age=631138519 cross-origin-opener-policy: same-origin-allow-popups cross-origin-embedder-policy: unsafe-none x-response-time: 99 x-connection-hash: 10ee12a8ce577b9af5b0cd07b207a466c21bfe4a48de1483eafbf7da646d3cf7 <!DOCTYPE html> <head> <title>x.com</title> <meta http-equiv="refresh" content="0; url = https://twitter.com/x/migrate?tok=7b2265223a222f222c2274223a313731373931353933327d0d611f67216d556c172d9da3a92d05b7" /> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0,viewport-fit=cover"> <link rel="preconnect" href="//abs.twimg.com"> <link rel="dns-prefetch" href="//abs.twimg.com"> <link rel="preconnect" href="//api.twitter.com"> <link rel="dns-prefetch" href="//api.twitter.com"> <link rel="preconnect" href="//api.x.com"> <link rel="dns-prefetch" href="//api.x.com"> <link rel="preconnect" href="//pbs.twimg.com"> <link rel="dns-prefetch" href="//pbs.twimg.com"> <link rel="preconnect" href="//t.co"> <link rel="dns-prefetch" href="//t.co"> <meta http-equiv="onion-location" content="https://twitter3e4tixl4xyajtrzo62zg5vztmjuricljdp2c5kshju4avyoid.onion/" /> <meta property="fb:app_id" content="2231777543" /> <meta content="X (formerly Twitter)" property="og:site_name" /> <meta name="google-site-verification" content="600dQ0pZYsH2xOFt4hYmf5f5NpjCbWE_qk5Y04dErYM" /> <meta name="facebook-domain-verification" content="x6sdcc8b5ju3bh8nbm59eswogvg6t1" /> <meta name="mobile-web-app-capable" content="yes" /> <meta name="apple-mobile-web-app-title" content="Twitter" /> <meta name="apple-mobile-web-app-status-bar-style" content="white" /> <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="Twitter"/> <link rel="apple-touch-icon" sizes="192x192" href="https://abs.twimg.com/responsive-web/client-web/icon-ios.77d25eba.png" /> <meta name="twitter-site-verification" content="AUVDWo1JpbjI22xjTe5JOvTAWuW9bK41CpxYxCeCjH97mEVp7rtiHcvdOaUksJrG" /> <link rel="manifest" href="/manifest.json" crossorigin="use-credentials" /> <link rel="mask-icon" sizes="any" href="https://abs.twimg.com/responsive-web/client-web/icon-svg.ea5ff4aa.svg" color="#1D9BF0" /> <link rel="shortcut icon" href="https://abs.twimg.com/favicons/twitter-pip.3.ico" /> <meta name="theme-color" content="#000000" /> <script type="text/javascript" charset="utf-8" nonce="YTVkZDA5MGQtMTI3NS00M2QzLTllY2QtNzNkOTQ5NWJjNTA1">document.location = "https://twitter.com/x/migrate?tok=7b2265223a222f222c2274223a313731373931353933327d0d611f67216d556c172d9da3a92d05b7"</script> </head> <body style="background: #000"> </body> </html>