Hostheader value for generating a password recovery link. If an application is vulnerable to
Hostheader poisoning, you can affect the link and specify your domain name. As a result, if a victim follows the link from the email, a recovery token will leak to your domain.
Hostheader on your domain. Examples of vulnerable requests:
Hostheaders. Example of vulnerable request:
Refererheader allows a server to identify a page where people are visiting it from. This data is used for analytics, logging, optimized caching, and more.
querystring, and may not contain URL fragments (i.e.
username:passwordinformation. The request's referrer policy defines the data that can be included, see Referrer-Policy.
Refererheader when requesting these resources, an one-time token is leaked to a third-party resource, since it is passed to the
/SessionCreateendpoint with a mobile phone number of a user
/SessionVerifyendpoint with both the session token and the verification code received by SMS
/SessionCreatereturn the same session token as the first one until a call to
/SessionVerify, you can use
/SessionCreateendpoint to fecth a session token, that will valid after victim's authentication.
sha256. Therefore, if an application does not implement restrictions on the length of passwords, this can be used for DoS: hashing very long passwords can be resource intensive.