Hijacking accounts with host manipulation using collaborator

2 min readFeb 2, 2021

Hi everyone,

I am Aditya Shende (Kong) from India. A Bounty Hunter , Biker and Researcher.

This is my 2nd article , If you found any spell error. Let it be…..

Account takeover via host header is known method. If you don't know then click here . I will start with my finding and IMP part is , This is not gonna work on Akamai , CF or any WAFs.

Hunt your targets | Hackers gonna hack.

So as I always say “Use web as normal user”. I was testing for Open Redirects , SSRF with default method which I published in this . Can’t say Host-Header Injection………..

When I open my target with following target.com.burp_collaborator.net/kongsec.php, It gave me HTTP interaction in collaborator with my IP only. I thought to check it on sensitive actions like sharing URL, Downloading private files and obvio reset password.

I received mail like this

Response which I got in collaborator with HTTP interaction.

So this leads to account takeover

Steps to reproduce:

  1. Capture request of reset password
  2. Modify host as : host.com.burplink.net
  3. Forward request from repeater
  4. Reset link in inbox, Click on it . We’ll get reset token

Thanks for read

Hunters after knowing this method to every program….




#kongsec | Solo Bounty Hunter | Function Exploits and Report Crafting | Bikes | Not a XSS guy | Own views | Bugcrowd Top 100 l Top 10 P1 warriors | Biker